Malware Analysis Report

2025-01-02 02:02

Sample ID 220712-psnb7adba3
Target 4aa54853c4e39405c5280a334c52714ffced26be98dcdd645ec16fb0a2699c4e
SHA256 4aa54853c4e39405c5280a334c52714ffced26be98dcdd645ec16fb0a2699c4e
Tags
isrstealer collection spyware stealer trojan upx suricata remcos sality sales backdoor evasion persistence rat adwind
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

4aa54853c4e39405c5280a334c52714ffced26be98dcdd645ec16fb0a2699c4e

Threat Level: Known bad

The file 4aa54853c4e39405c5280a334c52714ffced26be98dcdd645ec16fb0a2699c4e was found to be: Known bad.

Malicious Activity Summary

isrstealer collection spyware stealer trojan upx suricata remcos sality sales backdoor evasion persistence rat adwind

Sality

Windows security bypass

AdWind

Modifies firewall policy service

ISR Stealer

UAC bypass

Remcos

suricata: ET MALWARE ISRStealer Checkin

ISR Stealer payload

NirSoft MailPassView

Nirsoft

Sets file execution options in registry

Disables RegEdit via registry modification

Disables Task Manager via registry modification

UPX packed file

Executes dropped EXE

Disables use of System Restore points

Windows security modification

Reads user/profile data of web browsers

Deletes itself

Checks computer location settings

Loads dropped DLL

Checks whether UAC is enabled

Accesses Microsoft Outlook accounts

Drops desktop.ini file(s)

Enumerates connected drives

Adds Run key to start application

Drops autorun.inf file

Drops file in System32 directory

Suspicious use of SetThreadContext

Drops file in Program Files directory

Drops file in Windows directory

Enumerates physical storage devices

Suspicious use of SetWindowsHookEx

Suspicious behavior: EnumeratesProcesses

Modifies registry key

Kills process with taskkill

Runs .reg file with regedit

Runs ping.exe

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

System policy modification

Views/modifies file attributes

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-07-12 12:35

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-07-12 12:35

Reported

2022-07-12 18:26

Platform

win7-20220414-en

Max time kernel

38s

Max time network

46s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Balance_Payment.exe"

Signatures

ISR Stealer

trojan stealer isrstealer

ISR Stealer payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

NirSoft MailPassView

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Nirsoft

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\svhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\svhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\svhost.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Reads user/profile data of web browsers

spyware stealer

Accesses Microsoft Outlook accounts

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts C:\Users\Admin\AppData\Local\Temp\svhost.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Balance_Payment.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\svhost.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1504 wrote to memory of 1792 N/A C:\Users\Admin\AppData\Local\Temp\Balance_Payment.exe C:\Windows\SysWOW64\cmd.exe
PID 1504 wrote to memory of 1792 N/A C:\Users\Admin\AppData\Local\Temp\Balance_Payment.exe C:\Windows\SysWOW64\cmd.exe
PID 1504 wrote to memory of 1792 N/A C:\Users\Admin\AppData\Local\Temp\Balance_Payment.exe C:\Windows\SysWOW64\cmd.exe
PID 1504 wrote to memory of 1792 N/A C:\Users\Admin\AppData\Local\Temp\Balance_Payment.exe C:\Windows\SysWOW64\cmd.exe
PID 1504 wrote to memory of 1768 N/A C:\Users\Admin\AppData\Local\Temp\Balance_Payment.exe C:\Users\Admin\AppData\Local\Temp\svhost.exe
PID 1504 wrote to memory of 1768 N/A C:\Users\Admin\AppData\Local\Temp\Balance_Payment.exe C:\Users\Admin\AppData\Local\Temp\svhost.exe
PID 1504 wrote to memory of 1768 N/A C:\Users\Admin\AppData\Local\Temp\Balance_Payment.exe C:\Users\Admin\AppData\Local\Temp\svhost.exe
PID 1504 wrote to memory of 1768 N/A C:\Users\Admin\AppData\Local\Temp\Balance_Payment.exe C:\Users\Admin\AppData\Local\Temp\svhost.exe
PID 1504 wrote to memory of 1768 N/A C:\Users\Admin\AppData\Local\Temp\Balance_Payment.exe C:\Users\Admin\AppData\Local\Temp\svhost.exe
PID 1504 wrote to memory of 1768 N/A C:\Users\Admin\AppData\Local\Temp\Balance_Payment.exe C:\Users\Admin\AppData\Local\Temp\svhost.exe
PID 1504 wrote to memory of 1768 N/A C:\Users\Admin\AppData\Local\Temp\Balance_Payment.exe C:\Users\Admin\AppData\Local\Temp\svhost.exe
PID 1504 wrote to memory of 1768 N/A C:\Users\Admin\AppData\Local\Temp\Balance_Payment.exe C:\Users\Admin\AppData\Local\Temp\svhost.exe
PID 1768 wrote to memory of 2040 N/A C:\Users\Admin\AppData\Local\Temp\svhost.exe C:\Users\Admin\AppData\Local\Temp\svhost.exe
PID 1768 wrote to memory of 2040 N/A C:\Users\Admin\AppData\Local\Temp\svhost.exe C:\Users\Admin\AppData\Local\Temp\svhost.exe
PID 1768 wrote to memory of 2040 N/A C:\Users\Admin\AppData\Local\Temp\svhost.exe C:\Users\Admin\AppData\Local\Temp\svhost.exe
PID 1768 wrote to memory of 2040 N/A C:\Users\Admin\AppData\Local\Temp\svhost.exe C:\Users\Admin\AppData\Local\Temp\svhost.exe
PID 1768 wrote to memory of 2040 N/A C:\Users\Admin\AppData\Local\Temp\svhost.exe C:\Users\Admin\AppData\Local\Temp\svhost.exe
PID 1768 wrote to memory of 2040 N/A C:\Users\Admin\AppData\Local\Temp\svhost.exe C:\Users\Admin\AppData\Local\Temp\svhost.exe
PID 1768 wrote to memory of 2040 N/A C:\Users\Admin\AppData\Local\Temp\svhost.exe C:\Users\Admin\AppData\Local\Temp\svhost.exe
PID 1768 wrote to memory of 2040 N/A C:\Users\Admin\AppData\Local\Temp\svhost.exe C:\Users\Admin\AppData\Local\Temp\svhost.exe
PID 1768 wrote to memory of 2040 N/A C:\Users\Admin\AppData\Local\Temp\svhost.exe C:\Users\Admin\AppData\Local\Temp\svhost.exe
PID 1768 wrote to memory of 544 N/A C:\Users\Admin\AppData\Local\Temp\svhost.exe C:\Users\Admin\AppData\Local\Temp\svhost.exe
PID 1768 wrote to memory of 544 N/A C:\Users\Admin\AppData\Local\Temp\svhost.exe C:\Users\Admin\AppData\Local\Temp\svhost.exe
PID 1768 wrote to memory of 544 N/A C:\Users\Admin\AppData\Local\Temp\svhost.exe C:\Users\Admin\AppData\Local\Temp\svhost.exe
PID 1768 wrote to memory of 544 N/A C:\Users\Admin\AppData\Local\Temp\svhost.exe C:\Users\Admin\AppData\Local\Temp\svhost.exe
PID 1768 wrote to memory of 544 N/A C:\Users\Admin\AppData\Local\Temp\svhost.exe C:\Users\Admin\AppData\Local\Temp\svhost.exe
PID 1768 wrote to memory of 544 N/A C:\Users\Admin\AppData\Local\Temp\svhost.exe C:\Users\Admin\AppData\Local\Temp\svhost.exe
PID 1768 wrote to memory of 544 N/A C:\Users\Admin\AppData\Local\Temp\svhost.exe C:\Users\Admin\AppData\Local\Temp\svhost.exe
PID 1768 wrote to memory of 544 N/A C:\Users\Admin\AppData\Local\Temp\svhost.exe C:\Users\Admin\AppData\Local\Temp\svhost.exe
PID 1768 wrote to memory of 544 N/A C:\Users\Admin\AppData\Local\Temp\svhost.exe C:\Users\Admin\AppData\Local\Temp\svhost.exe

Processes

C:\Users\Admin\AppData\Local\Temp\Balance_Payment.exe

"C:\Users\Admin\AppData\Local\Temp\Balance_Payment.exe"

C:\Windows\SysWOW64\cmd.exe

"cmd.exe"

C:\Users\Admin\AppData\Local\Temp\svhost.exe

"C:\Users\Admin\AppData\Local\Temp\svhost.exe"

C:\Users\Admin\AppData\Local\Temp\svhost.exe

/scomma "C:\Users\Admin\AppData\Local\Temp\ZNBXoxsW4s.ini"

C:\Users\Admin\AppData\Local\Temp\svhost.exe

/scomma "C:\Users\Admin\AppData\Local\Temp\L9Ku4EVNm0.ini"

Network

N/A

Files

memory/1504-54-0x0000000075371000-0x0000000075373000-memory.dmp

memory/1504-55-0x0000000073E60000-0x000000007440B000-memory.dmp

memory/1792-56-0x0000000000000000-mapping.dmp

\Users\Admin\AppData\Local\Temp\svhost.exe

MD5 32827e69b293b99013bbbe37d029245d
SHA1 bc9f80a38f09354d71467a05b0c5a82c3f7dac53
SHA256 9250b89157770e3ab59a2c7e2dd6b12b3c61d9b7c6620c3b4727e4bfff10f01f
SHA512 58c9a072e2bea0a8f22b4e69512abafad271ca91f2e3d2b4233796dd3d83021aad1c6da69fc8f7e7ca7919d34bde941cb8b5d185b668168866d1180558b93cf5

memory/1768-58-0x0000000000400000-0x0000000000442000-memory.dmp

memory/1768-59-0x0000000000400000-0x0000000000442000-memory.dmp

memory/1768-61-0x0000000000400000-0x0000000000442000-memory.dmp

memory/1768-63-0x0000000000400000-0x0000000000442000-memory.dmp

memory/1768-64-0x0000000000401180-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\svhost.exe

MD5 32827e69b293b99013bbbe37d029245d
SHA1 bc9f80a38f09354d71467a05b0c5a82c3f7dac53
SHA256 9250b89157770e3ab59a2c7e2dd6b12b3c61d9b7c6620c3b4727e4bfff10f01f
SHA512 58c9a072e2bea0a8f22b4e69512abafad271ca91f2e3d2b4233796dd3d83021aad1c6da69fc8f7e7ca7919d34bde941cb8b5d185b668168866d1180558b93cf5

\Users\Admin\AppData\Local\Temp\svhost.exe

MD5 32827e69b293b99013bbbe37d029245d
SHA1 bc9f80a38f09354d71467a05b0c5a82c3f7dac53
SHA256 9250b89157770e3ab59a2c7e2dd6b12b3c61d9b7c6620c3b4727e4bfff10f01f
SHA512 58c9a072e2bea0a8f22b4e69512abafad271ca91f2e3d2b4233796dd3d83021aad1c6da69fc8f7e7ca7919d34bde941cb8b5d185b668168866d1180558b93cf5

C:\Users\Admin\AppData\Local\Temp\svhost.exe

MD5 32827e69b293b99013bbbe37d029245d
SHA1 bc9f80a38f09354d71467a05b0c5a82c3f7dac53
SHA256 9250b89157770e3ab59a2c7e2dd6b12b3c61d9b7c6620c3b4727e4bfff10f01f
SHA512 58c9a072e2bea0a8f22b4e69512abafad271ca91f2e3d2b4233796dd3d83021aad1c6da69fc8f7e7ca7919d34bde941cb8b5d185b668168866d1180558b93cf5

memory/1768-72-0x0000000000400000-0x0000000000442000-memory.dmp

memory/2040-74-0x00000000004512E0-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\svhost.exe

MD5 32827e69b293b99013bbbe37d029245d
SHA1 bc9f80a38f09354d71467a05b0c5a82c3f7dac53
SHA256 9250b89157770e3ab59a2c7e2dd6b12b3c61d9b7c6620c3b4727e4bfff10f01f
SHA512 58c9a072e2bea0a8f22b4e69512abafad271ca91f2e3d2b4233796dd3d83021aad1c6da69fc8f7e7ca7919d34bde941cb8b5d185b668168866d1180558b93cf5

memory/2040-73-0x0000000000400000-0x0000000000453000-memory.dmp

memory/2040-78-0x0000000000400000-0x0000000000453000-memory.dmp

memory/2040-79-0x0000000000400000-0x0000000000453000-memory.dmp

memory/2040-80-0x0000000000400000-0x0000000000453000-memory.dmp

\Users\Admin\AppData\Local\Temp\svhost.exe

MD5 32827e69b293b99013bbbe37d029245d
SHA1 bc9f80a38f09354d71467a05b0c5a82c3f7dac53
SHA256 9250b89157770e3ab59a2c7e2dd6b12b3c61d9b7c6620c3b4727e4bfff10f01f
SHA512 58c9a072e2bea0a8f22b4e69512abafad271ca91f2e3d2b4233796dd3d83021aad1c6da69fc8f7e7ca7919d34bde941cb8b5d185b668168866d1180558b93cf5

memory/544-83-0x000000000041C410-mapping.dmp

memory/544-82-0x0000000000400000-0x000000000041F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\svhost.exe

MD5 32827e69b293b99013bbbe37d029245d
SHA1 bc9f80a38f09354d71467a05b0c5a82c3f7dac53
SHA256 9250b89157770e3ab59a2c7e2dd6b12b3c61d9b7c6620c3b4727e4bfff10f01f
SHA512 58c9a072e2bea0a8f22b4e69512abafad271ca91f2e3d2b4233796dd3d83021aad1c6da69fc8f7e7ca7919d34bde941cb8b5d185b668168866d1180558b93cf5

memory/544-87-0x0000000000400000-0x000000000041F000-memory.dmp

memory/544-88-0x0000000000400000-0x000000000041F000-memory.dmp

memory/544-89-0x0000000000400000-0x000000000041F000-memory.dmp

memory/1504-90-0x0000000073E60000-0x000000007440B000-memory.dmp

memory/1768-91-0x0000000000400000-0x0000000000442000-memory.dmp

memory/2040-92-0x0000000000400000-0x0000000000453000-memory.dmp

memory/1768-93-0x0000000000400000-0x0000000000442000-memory.dmp

memory/1504-94-0x0000000073E60000-0x000000007440B000-memory.dmp

memory/2040-95-0x0000000000400000-0x0000000000453000-memory.dmp

memory/544-96-0x0000000000400000-0x000000000041F000-memory.dmp

memory/544-97-0x0000000000400000-0x000000000041F000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2022-07-12 12:35

Reported

2022-07-12 18:25

Platform

win10v2004-20220414-en

Max time kernel

91s

Max time network

155s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Balance_Payment.exe"

Signatures

ISR Stealer

trojan stealer isrstealer

ISR Stealer payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

suricata: ET MALWARE ISRStealer Checkin

suricata

NirSoft MailPassView

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Nirsoft

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\svhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\svhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\svhost.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Reads user/profile data of web browsers

spyware stealer

Accesses Microsoft Outlook accounts

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts C:\Users\Admin\AppData\Local\Temp\svhost.exe N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File created C:\Windows\assembly\Desktop.ini C:\Users\Admin\AppData\Local\Temp\Balance_Payment.exe N/A
File opened for modification C:\Windows\assembly\Desktop.ini C:\Users\Admin\AppData\Local\Temp\Balance_Payment.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\assembly C:\Users\Admin\AppData\Local\Temp\Balance_Payment.exe N/A
File created C:\Windows\assembly\Desktop.ini C:\Users\Admin\AppData\Local\Temp\Balance_Payment.exe N/A
File opened for modification C:\Windows\assembly\Desktop.ini C:\Users\Admin\AppData\Local\Temp\Balance_Payment.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Balance_Payment.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\svhost.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2664 wrote to memory of 4164 N/A C:\Users\Admin\AppData\Local\Temp\Balance_Payment.exe C:\Windows\SysWOW64\cmd.exe
PID 2664 wrote to memory of 4164 N/A C:\Users\Admin\AppData\Local\Temp\Balance_Payment.exe C:\Windows\SysWOW64\cmd.exe
PID 2664 wrote to memory of 4164 N/A C:\Users\Admin\AppData\Local\Temp\Balance_Payment.exe C:\Windows\SysWOW64\cmd.exe
PID 2664 wrote to memory of 4364 N/A C:\Users\Admin\AppData\Local\Temp\Balance_Payment.exe C:\Users\Admin\AppData\Local\Temp\svhost.exe
PID 2664 wrote to memory of 4364 N/A C:\Users\Admin\AppData\Local\Temp\Balance_Payment.exe C:\Users\Admin\AppData\Local\Temp\svhost.exe
PID 2664 wrote to memory of 4364 N/A C:\Users\Admin\AppData\Local\Temp\Balance_Payment.exe C:\Users\Admin\AppData\Local\Temp\svhost.exe
PID 2664 wrote to memory of 4364 N/A C:\Users\Admin\AppData\Local\Temp\Balance_Payment.exe C:\Users\Admin\AppData\Local\Temp\svhost.exe
PID 2664 wrote to memory of 4364 N/A C:\Users\Admin\AppData\Local\Temp\Balance_Payment.exe C:\Users\Admin\AppData\Local\Temp\svhost.exe
PID 2664 wrote to memory of 4364 N/A C:\Users\Admin\AppData\Local\Temp\Balance_Payment.exe C:\Users\Admin\AppData\Local\Temp\svhost.exe
PID 2664 wrote to memory of 4364 N/A C:\Users\Admin\AppData\Local\Temp\Balance_Payment.exe C:\Users\Admin\AppData\Local\Temp\svhost.exe
PID 4364 wrote to memory of 4996 N/A C:\Users\Admin\AppData\Local\Temp\svhost.exe C:\Users\Admin\AppData\Local\Temp\svhost.exe
PID 4364 wrote to memory of 4996 N/A C:\Users\Admin\AppData\Local\Temp\svhost.exe C:\Users\Admin\AppData\Local\Temp\svhost.exe
PID 4364 wrote to memory of 4996 N/A C:\Users\Admin\AppData\Local\Temp\svhost.exe C:\Users\Admin\AppData\Local\Temp\svhost.exe
PID 4364 wrote to memory of 4996 N/A C:\Users\Admin\AppData\Local\Temp\svhost.exe C:\Users\Admin\AppData\Local\Temp\svhost.exe
PID 4364 wrote to memory of 4996 N/A C:\Users\Admin\AppData\Local\Temp\svhost.exe C:\Users\Admin\AppData\Local\Temp\svhost.exe
PID 4364 wrote to memory of 4996 N/A C:\Users\Admin\AppData\Local\Temp\svhost.exe C:\Users\Admin\AppData\Local\Temp\svhost.exe
PID 4364 wrote to memory of 4996 N/A C:\Users\Admin\AppData\Local\Temp\svhost.exe C:\Users\Admin\AppData\Local\Temp\svhost.exe
PID 4364 wrote to memory of 4996 N/A C:\Users\Admin\AppData\Local\Temp\svhost.exe C:\Users\Admin\AppData\Local\Temp\svhost.exe
PID 4364 wrote to memory of 5068 N/A C:\Users\Admin\AppData\Local\Temp\svhost.exe C:\Users\Admin\AppData\Local\Temp\svhost.exe
PID 4364 wrote to memory of 5068 N/A C:\Users\Admin\AppData\Local\Temp\svhost.exe C:\Users\Admin\AppData\Local\Temp\svhost.exe
PID 4364 wrote to memory of 5068 N/A C:\Users\Admin\AppData\Local\Temp\svhost.exe C:\Users\Admin\AppData\Local\Temp\svhost.exe
PID 4364 wrote to memory of 5068 N/A C:\Users\Admin\AppData\Local\Temp\svhost.exe C:\Users\Admin\AppData\Local\Temp\svhost.exe
PID 4364 wrote to memory of 5068 N/A C:\Users\Admin\AppData\Local\Temp\svhost.exe C:\Users\Admin\AppData\Local\Temp\svhost.exe
PID 4364 wrote to memory of 5068 N/A C:\Users\Admin\AppData\Local\Temp\svhost.exe C:\Users\Admin\AppData\Local\Temp\svhost.exe
PID 4364 wrote to memory of 5068 N/A C:\Users\Admin\AppData\Local\Temp\svhost.exe C:\Users\Admin\AppData\Local\Temp\svhost.exe
PID 4364 wrote to memory of 5068 N/A C:\Users\Admin\AppData\Local\Temp\svhost.exe C:\Users\Admin\AppData\Local\Temp\svhost.exe

Processes

C:\Users\Admin\AppData\Local\Temp\Balance_Payment.exe

"C:\Users\Admin\AppData\Local\Temp\Balance_Payment.exe"

C:\Windows\SysWOW64\cmd.exe

"cmd.exe"

C:\Users\Admin\AppData\Local\Temp\svhost.exe

"C:\Users\Admin\AppData\Local\Temp\svhost.exe"

C:\Users\Admin\AppData\Local\Temp\svhost.exe

/scomma "C:\Users\Admin\AppData\Local\Temp\p3wxdQl088.ini"

C:\Users\Admin\AppData\Local\Temp\svhost.exe

/scomma "C:\Users\Admin\AppData\Local\Temp\dtGYfof9n4.ini"

Network

Country Destination Domain Proto
US 8.8.8.8:53 chayto.com.ar udp
CA 149.56.22.100:80 chayto.com.ar tcp
US 209.197.3.8:80 tcp
US 20.189.173.1:443 tcp
FR 2.18.109.224:443 tcp
US 104.18.25.243:80 tcp
US 209.197.3.8:80 tcp
US 209.197.3.8:80 tcp
US 209.197.3.8:80 tcp

Files

memory/2664-130-0x0000000074B30000-0x00000000750E1000-memory.dmp

memory/4164-131-0x0000000000000000-mapping.dmp

memory/4364-132-0x0000000000000000-mapping.dmp

memory/4364-133-0x0000000000400000-0x0000000000442000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\svhost.exe

MD5 1c9ff7df71493896054a91bee0322ebf
SHA1 38f1c85965d58b910d8e8381b6b1099d5dfcbfe4
SHA256 e8b5da3394bbdd7868122ffd88d9d06afe31bd69d656857910d2f820c32d0efa
SHA512 aa0def62b663743e6c3c022182b35cff33cb9abf08453d5098f3c5d32b2a8b0cd1cc5de64b93e39680c1d1396fef1fd50b642ca3ea4ba1f6d1078321d96916ab

C:\Users\Admin\AppData\Local\Temp\svhost.exe

MD5 1c9ff7df71493896054a91bee0322ebf
SHA1 38f1c85965d58b910d8e8381b6b1099d5dfcbfe4
SHA256 e8b5da3394bbdd7868122ffd88d9d06afe31bd69d656857910d2f820c32d0efa
SHA512 aa0def62b663743e6c3c022182b35cff33cb9abf08453d5098f3c5d32b2a8b0cd1cc5de64b93e39680c1d1396fef1fd50b642ca3ea4ba1f6d1078321d96916ab

memory/4364-137-0x0000000000400000-0x0000000000442000-memory.dmp

memory/4996-140-0x0000000000000000-mapping.dmp

memory/4996-141-0x0000000000400000-0x0000000000453000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\svhost.exe

MD5 1c9ff7df71493896054a91bee0322ebf
SHA1 38f1c85965d58b910d8e8381b6b1099d5dfcbfe4
SHA256 e8b5da3394bbdd7868122ffd88d9d06afe31bd69d656857910d2f820c32d0efa
SHA512 aa0def62b663743e6c3c022182b35cff33cb9abf08453d5098f3c5d32b2a8b0cd1cc5de64b93e39680c1d1396fef1fd50b642ca3ea4ba1f6d1078321d96916ab

memory/4996-144-0x0000000000400000-0x0000000000453000-memory.dmp

memory/4996-145-0x0000000000400000-0x0000000000453000-memory.dmp

memory/4996-147-0x0000000000400000-0x0000000000453000-memory.dmp

memory/4364-146-0x0000000000400000-0x0000000000442000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\p3wxdQl088.ini

MD5 d1ea279fb5559c020a1b4137dc4de237
SHA1 db6f8988af46b56216a6f0daf95ab8c9bdb57400
SHA256 fcdcc2c46896915a1c695d6231f0fee336a668531b7a3da46178c80362546dba
SHA512 720e9c284f0559015312df7fe977563e5e16f48d3506e51eb4016adf7971924d352f740b030aa3adc81b6f65fd1dba12df06d10fa6c115074e5097e7ee0f08b3

memory/5068-149-0x0000000000000000-mapping.dmp

memory/5068-150-0x0000000000400000-0x000000000041F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\svhost.exe

MD5 1c9ff7df71493896054a91bee0322ebf
SHA1 38f1c85965d58b910d8e8381b6b1099d5dfcbfe4
SHA256 e8b5da3394bbdd7868122ffd88d9d06afe31bd69d656857910d2f820c32d0efa
SHA512 aa0def62b663743e6c3c022182b35cff33cb9abf08453d5098f3c5d32b2a8b0cd1cc5de64b93e39680c1d1396fef1fd50b642ca3ea4ba1f6d1078321d96916ab

memory/5068-154-0x0000000000400000-0x000000000041F000-memory.dmp

memory/2664-153-0x0000000074B30000-0x00000000750E1000-memory.dmp

memory/5068-155-0x0000000000400000-0x000000000041F000-memory.dmp

memory/5068-156-0x0000000000400000-0x000000000041F000-memory.dmp

memory/2664-157-0x0000000074B30000-0x00000000750E1000-memory.dmp

memory/4364-158-0x0000000000400000-0x0000000000442000-memory.dmp

memory/4364-159-0x0000000000400000-0x0000000000442000-memory.dmp

Analysis: behavioral3

Detonation Overview

Submitted

2022-07-12 12:35

Reported

2022-07-12 18:25

Platform

win7-20220414-en

Max time kernel

151s

Max time network

155s

Command Line

"taskhost.exe"

Signatures

Modifies firewall policy service

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Users\Admin\AppData\Roaming\remcos\remcos.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" C:\Users\Admin\AppData\Roaming\remcos\remcos.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" C:\Users\Admin\AppData\Local\Temp\RarSFX1\serverbb.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Users\Admin\AppData\Local\Temp\RarSFX1\serverbb.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" C:\Users\Admin\AppData\Local\Temp\RarSFX1\serverbb.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" C:\Users\Admin\AppData\Roaming\remcos\remcos.exe N/A

Remcos

rat remcos

Sality

backdoor sality

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\RarSFX1\serverbb.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Roaming\remcos\remcos.exe N/A

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Roaming\remcos\remcos.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\RarSFX1\serverbb.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\RarSFX1\serverbb.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\RarSFX1\serverbb.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\RarSFX1\serverbb.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\RarSFX1\serverbb.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\RarSFX1\serverbb.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Roaming\remcos\remcos.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Roaming\remcos\remcos.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Roaming\remcos\remcos.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Roaming\remcos\remcos.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Roaming\remcos\remcos.exe N/A

Disables RegEdit via registry modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows\CurrentVersion\Policies\system\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\RarSFX1\serverbb.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows\CurrentVersion\Policies\system\DisableRegistryTools = "1" C:\Users\Admin\AppData\Roaming\remcos\remcos.exe N/A

Disables Task Manager via registry modification

evasion

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\remcos\remcos.exe N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc C:\Users\Admin\AppData\Roaming\remcos\remcos.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\RarSFX1\serverbb.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Roaming\remcos\remcos.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Roaming\remcos\remcos.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\RarSFX1\serverbb.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\RarSFX1\serverbb.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Roaming\remcos\remcos.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\RarSFX1\serverbb.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Roaming\remcos\remcos.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc C:\Users\Admin\AppData\Local\Temp\RarSFX1\serverbb.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Roaming\remcos\remcos.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Roaming\remcos\remcos.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\RarSFX1\serverbb.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\RarSFX1\serverbb.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows\CurrentVersion\Run\remcos = "\"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\"" C:\Users\Admin\AppData\Local\Temp\RarSFX1\serverbb.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ C:\Users\Admin\AppData\Local\Temp\RarSFX1\serverbb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\remcos = "\"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\"" C:\Users\Admin\AppData\Local\Temp\RarSFX1\serverbb.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows\CurrentVersion\Run\ C:\Users\Admin\AppData\Roaming\remcos\remcos.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows\CurrentVersion\Run\remcos = "\"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\"" C:\Users\Admin\AppData\Roaming\remcos\remcos.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ C:\Users\Admin\AppData\Roaming\remcos\remcos.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\remcos = "\"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\"" C:\Users\Admin\AppData\Roaming\remcos\remcos.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows\CurrentVersion\Run\ C:\Users\Admin\AppData\Local\Temp\RarSFX1\serverbb.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\RarSFX1\serverbb.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Roaming\remcos\remcos.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\O: C:\Users\Admin\AppData\Roaming\remcos\remcos.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Roaming\remcos\remcos.exe N/A
File opened (read-only) \??\F: C:\Users\Admin\AppData\Roaming\remcos\remcos.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Roaming\remcos\remcos.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Roaming\remcos\remcos.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Roaming\remcos\remcos.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Roaming\remcos\remcos.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Roaming\remcos\remcos.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Roaming\remcos\remcos.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Roaming\remcos\remcos.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Roaming\remcos\remcos.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Roaming\remcos\remcos.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Roaming\remcos\remcos.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Roaming\remcos\remcos.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Roaming\remcos\remcos.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Roaming\remcos\remcos.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Roaming\remcos\remcos.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Roaming\remcos\remcos.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Roaming\remcos\remcos.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Roaming\remcos\remcos.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Roaming\remcos\remcos.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Roaming\remcos\remcos.exe N/A

Drops autorun.inf file

Description Indicator Process Target
File opened for modification C:\autorun.inf C:\Users\Admin\AppData\Roaming\remcos\remcos.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\PROGRAM FILES\7-ZIP\7zFM.exe C:\Users\Admin\AppData\Roaming\remcos\remcos.exe N/A
File opened for modification C:\PROGRAM FILES\7-ZIP\7zG.exe C:\Users\Admin\AppData\Roaming\remcos\remcos.exe N/A
File opened for modification C:\PROGRAM FILES\7-ZIP\Uninstall.exe C:\Users\Admin\AppData\Roaming\remcos\remcos.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe C:\Users\Admin\AppData\Roaming\remcos\remcos.exe N/A
File opened for modification C:\PROGRAM FILES\7-ZIP\7z.exe C:\Users\Admin\AppData\Roaming\remcos\remcos.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\SYSTEM.INI C:\Users\Admin\AppData\Local\Temp\RarSFX1\serverbb.exe N/A

Enumerates physical storage devices

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX1\serverbb.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX1\serverbb.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX1\serverbb.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX1\serverbb.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX1\serverbb.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX1\serverbb.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX1\serverbb.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX1\serverbb.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX1\serverbb.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX1\serverbb.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX1\serverbb.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX1\serverbb.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX1\serverbb.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX1\serverbb.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX1\serverbb.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX1\serverbb.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX1\serverbb.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX1\serverbb.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX1\serverbb.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\remcos\remcos.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\remcos\remcos.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\remcos\remcos.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\remcos\remcos.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\remcos\remcos.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\remcos\remcos.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\remcos\remcos.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\remcos\remcos.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\remcos\remcos.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\remcos\remcos.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\remcos\remcos.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\remcos\remcos.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\remcos\remcos.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\remcos\remcos.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\remcos\remcos.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\remcos\remcos.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\remcos\remcos.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\remcos\remcos.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\remcos\remcos.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\remcos\remcos.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 288 wrote to memory of 1940 N/A C:\Users\Admin\AppData\Local\Temp\Bank Details.exe C:\Windows\SysWOW64\cmd.exe
PID 288 wrote to memory of 1940 N/A C:\Users\Admin\AppData\Local\Temp\Bank Details.exe C:\Windows\SysWOW64\cmd.exe
PID 288 wrote to memory of 1940 N/A C:\Users\Admin\AppData\Local\Temp\Bank Details.exe C:\Windows\SysWOW64\cmd.exe
PID 288 wrote to memory of 1940 N/A C:\Users\Admin\AppData\Local\Temp\Bank Details.exe C:\Windows\SysWOW64\cmd.exe
PID 1940 wrote to memory of 900 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\serverbb.sfx.exe
PID 1940 wrote to memory of 900 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\serverbb.sfx.exe
PID 1940 wrote to memory of 900 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\serverbb.sfx.exe
PID 1940 wrote to memory of 900 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\serverbb.sfx.exe
PID 900 wrote to memory of 952 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\serverbb.sfx.exe C:\Users\Admin\AppData\Local\Temp\RarSFX1\serverbb.exe
PID 900 wrote to memory of 952 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\serverbb.sfx.exe C:\Users\Admin\AppData\Local\Temp\RarSFX1\serverbb.exe
PID 900 wrote to memory of 952 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\serverbb.sfx.exe C:\Users\Admin\AppData\Local\Temp\RarSFX1\serverbb.exe
PID 900 wrote to memory of 952 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\serverbb.sfx.exe C:\Users\Admin\AppData\Local\Temp\RarSFX1\serverbb.exe
PID 952 wrote to memory of 1076 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX1\serverbb.exe C:\Windows\system32\taskhost.exe
PID 952 wrote to memory of 1148 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX1\serverbb.exe C:\Windows\system32\Dwm.exe
PID 952 wrote to memory of 1208 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX1\serverbb.exe C:\Windows\Explorer.EXE
PID 952 wrote to memory of 288 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX1\serverbb.exe C:\Users\Admin\AppData\Local\Temp\Bank Details.exe
PID 952 wrote to memory of 288 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX1\serverbb.exe C:\Users\Admin\AppData\Local\Temp\Bank Details.exe
PID 952 wrote to memory of 1940 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX1\serverbb.exe C:\Windows\SysWOW64\cmd.exe
PID 952 wrote to memory of 1940 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX1\serverbb.exe C:\Windows\SysWOW64\cmd.exe
PID 952 wrote to memory of 1948 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX1\serverbb.exe C:\Windows\system32\conhost.exe
PID 952 wrote to memory of 900 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX1\serverbb.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\serverbb.sfx.exe
PID 952 wrote to memory of 900 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX1\serverbb.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\serverbb.sfx.exe
PID 952 wrote to memory of 584 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX1\serverbb.exe C:\Windows\SysWOW64\cmd.exe
PID 952 wrote to memory of 584 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX1\serverbb.exe C:\Windows\SysWOW64\cmd.exe
PID 952 wrote to memory of 584 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX1\serverbb.exe C:\Windows\SysWOW64\cmd.exe
PID 952 wrote to memory of 584 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX1\serverbb.exe C:\Windows\SysWOW64\cmd.exe
PID 952 wrote to memory of 584 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX1\serverbb.exe C:\Windows\SysWOW64\cmd.exe
PID 952 wrote to memory of 584 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX1\serverbb.exe C:\Windows\SysWOW64\cmd.exe
PID 952 wrote to memory of 584 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX1\serverbb.exe C:\Windows\SysWOW64\cmd.exe
PID 584 wrote to memory of 1316 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 584 wrote to memory of 1316 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 584 wrote to memory of 1316 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 584 wrote to memory of 1316 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 584 wrote to memory of 1104 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
PID 584 wrote to memory of 1104 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
PID 584 wrote to memory of 1104 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
PID 584 wrote to memory of 1104 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
PID 1104 wrote to memory of 1076 N/A C:\Users\Admin\AppData\Roaming\remcos\remcos.exe C:\Windows\system32\taskhost.exe
PID 1104 wrote to memory of 1148 N/A C:\Users\Admin\AppData\Roaming\remcos\remcos.exe C:\Windows\system32\Dwm.exe
PID 1104 wrote to memory of 1208 N/A C:\Users\Admin\AppData\Roaming\remcos\remcos.exe C:\Windows\Explorer.EXE
PID 1104 wrote to memory of 1076 N/A C:\Users\Admin\AppData\Roaming\remcos\remcos.exe C:\Windows\system32\taskhost.exe
PID 1104 wrote to memory of 1148 N/A C:\Users\Admin\AppData\Roaming\remcos\remcos.exe C:\Windows\system32\Dwm.exe
PID 1104 wrote to memory of 1208 N/A C:\Users\Admin\AppData\Roaming\remcos\remcos.exe C:\Windows\Explorer.EXE
PID 1104 wrote to memory of 1076 N/A C:\Users\Admin\AppData\Roaming\remcos\remcos.exe C:\Windows\system32\taskhost.exe
PID 1104 wrote to memory of 1148 N/A C:\Users\Admin\AppData\Roaming\remcos\remcos.exe C:\Windows\system32\Dwm.exe
PID 1104 wrote to memory of 1208 N/A C:\Users\Admin\AppData\Roaming\remcos\remcos.exe C:\Windows\Explorer.EXE
PID 1104 wrote to memory of 1076 N/A C:\Users\Admin\AppData\Roaming\remcos\remcos.exe C:\Windows\system32\taskhost.exe
PID 1104 wrote to memory of 1148 N/A C:\Users\Admin\AppData\Roaming\remcos\remcos.exe C:\Windows\system32\Dwm.exe
PID 1104 wrote to memory of 1208 N/A C:\Users\Admin\AppData\Roaming\remcos\remcos.exe C:\Windows\Explorer.EXE
PID 1104 wrote to memory of 1076 N/A C:\Users\Admin\AppData\Roaming\remcos\remcos.exe C:\Windows\system32\taskhost.exe
PID 1104 wrote to memory of 1148 N/A C:\Users\Admin\AppData\Roaming\remcos\remcos.exe C:\Windows\system32\Dwm.exe
PID 1104 wrote to memory of 1208 N/A C:\Users\Admin\AppData\Roaming\remcos\remcos.exe C:\Windows\Explorer.EXE
PID 1104 wrote to memory of 1076 N/A C:\Users\Admin\AppData\Roaming\remcos\remcos.exe C:\Windows\system32\taskhost.exe
PID 1104 wrote to memory of 1148 N/A C:\Users\Admin\AppData\Roaming\remcos\remcos.exe C:\Windows\system32\Dwm.exe
PID 1104 wrote to memory of 1208 N/A C:\Users\Admin\AppData\Roaming\remcos\remcos.exe C:\Windows\Explorer.EXE
PID 1104 wrote to memory of 1076 N/A C:\Users\Admin\AppData\Roaming\remcos\remcos.exe C:\Windows\system32\taskhost.exe
PID 1104 wrote to memory of 1148 N/A C:\Users\Admin\AppData\Roaming\remcos\remcos.exe C:\Windows\system32\Dwm.exe
PID 1104 wrote to memory of 1208 N/A C:\Users\Admin\AppData\Roaming\remcos\remcos.exe C:\Windows\Explorer.EXE
PID 1104 wrote to memory of 1076 N/A C:\Users\Admin\AppData\Roaming\remcos\remcos.exe C:\Windows\system32\taskhost.exe
PID 1104 wrote to memory of 1148 N/A C:\Users\Admin\AppData\Roaming\remcos\remcos.exe C:\Windows\system32\Dwm.exe
PID 1104 wrote to memory of 1208 N/A C:\Users\Admin\AppData\Roaming\remcos\remcos.exe C:\Windows\Explorer.EXE
PID 1104 wrote to memory of 1076 N/A C:\Users\Admin\AppData\Roaming\remcos\remcos.exe C:\Windows\system32\taskhost.exe
PID 1104 wrote to memory of 1148 N/A C:\Users\Admin\AppData\Roaming\remcos\remcos.exe C:\Windows\system32\Dwm.exe
PID 1104 wrote to memory of 1208 N/A C:\Users\Admin\AppData\Roaming\remcos\remcos.exe C:\Windows\Explorer.EXE

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\RarSFX1\serverbb.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Roaming\remcos\remcos.exe N/A

Processes

C:\Windows\system32\taskhost.exe

"taskhost.exe"

C:\Windows\system32\Dwm.exe

"C:\Windows\system32\Dwm.exe"

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\Bank Details.exe

"C:\Users\Admin\AppData\Local\Temp\Bank Details.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX0\xxawaeszfers43s3d43ec.bat" "

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "79816983-1283876440274465732101400589069897111-2145616783-1389609508-1840393135"

C:\Users\Admin\AppData\Local\Temp\RarSFX0\serverbb.sfx.exe

serverbb.sfx.exe -piiasedfdsegg09o0i8i0i -dC:\Users\Admin\AppData\Local\Temp

C:\Users\Admin\AppData\Local\Temp\RarSFX1\serverbb.exe

"C:\Users\Admin\AppData\Local\Temp\RarSFX1\serverbb.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\install.bat" "

C:\Windows\SysWOW64\PING.EXE

PING 127.0.0.1 -n 2

C:\Users\Admin\AppData\Roaming\remcos\remcos.exe

"C:\Users\Admin\AppData\Roaming\remcos\remcos.exe"

Network

Country Destination Domain Proto
MD 178.175.138.219:200 tcp
MD 178.175.138.219:200 tcp
MD 178.175.138.219:200 tcp
MD 178.175.138.219:200 tcp
MD 178.175.138.219:200 tcp
MD 178.175.138.219:200 tcp

Files

memory/288-54-0x0000000075391000-0x0000000075393000-memory.dmp

memory/1940-55-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\RarSFX0\xxawaeszfers43s3d43ec.bat

MD5 e06f4ac29c4328f453637b572b8aeb0d
SHA1 c8a87ca47c44938b374ee225d6df5b86facc6af9
SHA256 6700e5fdb3c3c29c207d0c456d94b9e18536d77839724e94da6c34491f96c927
SHA512 42e9430a80af2c400440ae259b752e69f665048352dcacd558f0e3f4096bcdeccd81ecf129e3c3533831fa5187faf4fc28efd2b8f2c671f90137c216bd6d2eec

\Users\Admin\AppData\Local\Temp\RarSFX0\serverbb.sfx.exe

MD5 e6121feb0325525065baad0db96fee62
SHA1 0f1a671a5d360c33648e065c4f19a0a8fef276ff
SHA256 1d72b61cc04f1f4da847b4950e6cf70aaac16a05677e4f0635c06e7ff376ae59
SHA512 72e4eb808e896cf9ffb03b7f97948c7fc98662b71fece805acdcd9c7c3e0c787f1ee939eef4e26dc7558d83ad00cbd0784e5dc5a8dca8e82181e947e8f8a69f3

C:\Users\Admin\AppData\Local\Temp\RarSFX0\serverbb.sfx.exe

MD5 e6121feb0325525065baad0db96fee62
SHA1 0f1a671a5d360c33648e065c4f19a0a8fef276ff
SHA256 1d72b61cc04f1f4da847b4950e6cf70aaac16a05677e4f0635c06e7ff376ae59
SHA512 72e4eb808e896cf9ffb03b7f97948c7fc98662b71fece805acdcd9c7c3e0c787f1ee939eef4e26dc7558d83ad00cbd0784e5dc5a8dca8e82181e947e8f8a69f3

memory/900-59-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\RarSFX0\serverbb.sfx.exe

MD5 e6121feb0325525065baad0db96fee62
SHA1 0f1a671a5d360c33648e065c4f19a0a8fef276ff
SHA256 1d72b61cc04f1f4da847b4950e6cf70aaac16a05677e4f0635c06e7ff376ae59
SHA512 72e4eb808e896cf9ffb03b7f97948c7fc98662b71fece805acdcd9c7c3e0c787f1ee939eef4e26dc7558d83ad00cbd0784e5dc5a8dca8e82181e947e8f8a69f3

\Users\Admin\AppData\Local\Temp\RarSFX1\serverbb.exe

MD5 e59cef15630374087f1223583760f64c
SHA1 b3b4449055b6f6da3c14a01785ce95ac817179d5
SHA256 38d8f89f5478c51f2c3662fc52282d16ce38d6c78823bca726306b0d9bb7c9c6
SHA512 9928bcdd296be8f3de666e1a440cdd778cb6d6621c62a6d5c4e104d5df25f7ab445c0d3ddc552c9847bb0c149e00fb7992233d2ce279178f6866e8b89eae9652

\Users\Admin\AppData\Local\Temp\RarSFX1\serverbb.exe

MD5 e59cef15630374087f1223583760f64c
SHA1 b3b4449055b6f6da3c14a01785ce95ac817179d5
SHA256 38d8f89f5478c51f2c3662fc52282d16ce38d6c78823bca726306b0d9bb7c9c6
SHA512 9928bcdd296be8f3de666e1a440cdd778cb6d6621c62a6d5c4e104d5df25f7ab445c0d3ddc552c9847bb0c149e00fb7992233d2ce279178f6866e8b89eae9652

memory/952-64-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\RarSFX1\serverbb.exe

MD5 e59cef15630374087f1223583760f64c
SHA1 b3b4449055b6f6da3c14a01785ce95ac817179d5
SHA256 38d8f89f5478c51f2c3662fc52282d16ce38d6c78823bca726306b0d9bb7c9c6
SHA512 9928bcdd296be8f3de666e1a440cdd778cb6d6621c62a6d5c4e104d5df25f7ab445c0d3ddc552c9847bb0c149e00fb7992233d2ce279178f6866e8b89eae9652

memory/952-67-0x0000000001EE0000-0x0000000002F6E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\RarSFX1\serverbb.exe

MD5 e59cef15630374087f1223583760f64c
SHA1 b3b4449055b6f6da3c14a01785ce95ac817179d5
SHA256 38d8f89f5478c51f2c3662fc52282d16ce38d6c78823bca726306b0d9bb7c9c6
SHA512 9928bcdd296be8f3de666e1a440cdd778cb6d6621c62a6d5c4e104d5df25f7ab445c0d3ddc552c9847bb0c149e00fb7992233d2ce279178f6866e8b89eae9652

memory/584-69-0x0000000000000000-mapping.dmp

memory/952-70-0x0000000000400000-0x0000000000429000-memory.dmp

memory/952-72-0x0000000001EE0000-0x0000000002F6E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\install.bat

MD5 76c1687d97dfdbcea62ef1490bec5001
SHA1 5f4d1aeafa7d840cde67b76f97416dd68efd1bed
SHA256 79f04ea049979ffd2232c459fdd57fae97a5255aea9b4a2c7dce7ead856f37a4
SHA512 da250f0628632a644f159d818a82a8b9cca8224e46843bddbe0f6f9c32a2d04f7736a620af49ab6d77616317ca7d68285e60043965fe86c03d940835bd30a925

memory/1316-74-0x0000000000000000-mapping.dmp

memory/900-73-0x0000000002F40000-0x0000000002F69000-memory.dmp

memory/900-75-0x0000000002F40000-0x0000000002F69000-memory.dmp

memory/288-76-0x00000000007F0000-0x00000000007F2000-memory.dmp

memory/1940-77-0x0000000000300000-0x0000000000321000-memory.dmp

memory/900-78-0x0000000002DE0000-0x0000000003A2A000-memory.dmp

memory/900-79-0x0000000002DE0000-0x0000000002DEF000-memory.dmp

\Users\Admin\AppData\Roaming\remcos\remcos.exe

MD5 e59cef15630374087f1223583760f64c
SHA1 b3b4449055b6f6da3c14a01785ce95ac817179d5
SHA256 38d8f89f5478c51f2c3662fc52282d16ce38d6c78823bca726306b0d9bb7c9c6
SHA512 9928bcdd296be8f3de666e1a440cdd778cb6d6621c62a6d5c4e104d5df25f7ab445c0d3ddc552c9847bb0c149e00fb7992233d2ce279178f6866e8b89eae9652

C:\Users\Admin\AppData\Roaming\remcos\remcos.exe

MD5 e59cef15630374087f1223583760f64c
SHA1 b3b4449055b6f6da3c14a01785ce95ac817179d5
SHA256 38d8f89f5478c51f2c3662fc52282d16ce38d6c78823bca726306b0d9bb7c9c6
SHA512 9928bcdd296be8f3de666e1a440cdd778cb6d6621c62a6d5c4e104d5df25f7ab445c0d3ddc552c9847bb0c149e00fb7992233d2ce279178f6866e8b89eae9652

memory/1104-83-0x0000000000000000-mapping.dmp

\Users\Admin\AppData\Roaming\remcos\remcos.exe

MD5 e59cef15630374087f1223583760f64c
SHA1 b3b4449055b6f6da3c14a01785ce95ac817179d5
SHA256 38d8f89f5478c51f2c3662fc52282d16ce38d6c78823bca726306b0d9bb7c9c6
SHA512 9928bcdd296be8f3de666e1a440cdd778cb6d6621c62a6d5c4e104d5df25f7ab445c0d3ddc552c9847bb0c149e00fb7992233d2ce279178f6866e8b89eae9652

C:\Users\Admin\AppData\Roaming\remcos\remcos.exe

MD5 e59cef15630374087f1223583760f64c
SHA1 b3b4449055b6f6da3c14a01785ce95ac817179d5
SHA256 38d8f89f5478c51f2c3662fc52282d16ce38d6c78823bca726306b0d9bb7c9c6
SHA512 9928bcdd296be8f3de666e1a440cdd778cb6d6621c62a6d5c4e104d5df25f7ab445c0d3ddc552c9847bb0c149e00fb7992233d2ce279178f6866e8b89eae9652

memory/1104-86-0x0000000001E70000-0x0000000002EFE000-memory.dmp

C:\Windows\SYSTEM.INI

MD5 4fb23f36287391b5b0829eb1a3e595c2
SHA1 1459e9e649e8c11d464b57f783326acedb099565
SHA256 25381024ace3ba69e014e0a83919ddd2842c756beea227cb38cb07ac8a134e53
SHA512 5455cfc79a6ebd0b46717d216ffaed7eb7a7c8e373c3b27fbd323dc6f4bcbfc404e62fda61d10c3686e18ce4480bae51f7cc99d5a4571b014d94db3895e38973

memory/1104-88-0x0000000001E70000-0x0000000002EFE000-memory.dmp

memory/1104-89-0x0000000000400000-0x0000000000429000-memory.dmp

memory/1104-90-0x0000000000350000-0x0000000000352000-memory.dmp

memory/1104-91-0x0000000001E70000-0x0000000002EFE000-memory.dmp

memory/1104-92-0x0000000000350000-0x0000000000352000-memory.dmp

memory/1104-93-0x0000000000400000-0x0000000000429000-memory.dmp

Analysis: behavioral4

Detonation Overview

Submitted

2022-07-12 12:35

Reported

2022-07-12 18:25

Platform

win10v2004-20220414-en

Max time kernel

150s

Max time network

155s

Command Line

"dwm.exe"

Signatures

Modifies firewall policy service

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" C:\Users\Admin\AppData\Local\Temp\RarSFX1\serverbb.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" C:\Users\Admin\AppData\Roaming\remcos\remcos.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Users\Admin\AppData\Roaming\remcos\remcos.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" C:\Users\Admin\AppData\Roaming\remcos\remcos.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" C:\Users\Admin\AppData\Local\Temp\RarSFX1\serverbb.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Users\Admin\AppData\Local\Temp\RarSFX1\serverbb.exe N/A

Remcos

rat remcos

Sality

backdoor sality

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\RarSFX1\serverbb.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Roaming\remcos\remcos.exe N/A

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\RarSFX1\serverbb.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\RarSFX1\serverbb.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\RarSFX1\serverbb.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Roaming\remcos\remcos.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Roaming\remcos\remcos.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Roaming\remcos\remcos.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\RarSFX1\serverbb.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\RarSFX1\serverbb.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\RarSFX1\serverbb.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Roaming\remcos\remcos.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Roaming\remcos\remcos.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Roaming\remcos\remcos.exe N/A

Disables RegEdit via registry modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system\DisableRegistryTools = "1" C:\Users\Admin\AppData\Roaming\remcos\remcos.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\RarSFX1\serverbb.exe N/A

Disables Task Manager via registry modification

evasion

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\RarSFX0\serverbb.sfx.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\RarSFX1\serverbb.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Bank Details.exe N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\RarSFX1\serverbb.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Roaming\remcos\remcos.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Roaming\remcos\remcos.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\RarSFX1\serverbb.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Roaming\remcos\remcos.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\RarSFX1\serverbb.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\RarSFX1\serverbb.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\RarSFX1\serverbb.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Roaming\remcos\remcos.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc C:\Users\Admin\AppData\Roaming\remcos\remcos.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\RarSFX1\serverbb.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc C:\Users\Admin\AppData\Local\Temp\RarSFX1\serverbb.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Roaming\remcos\remcos.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Roaming\remcos\remcos.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Windows\CurrentVersion\Run\ C:\Users\Admin\AppData\Local\Temp\RarSFX1\serverbb.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\remcos = "\"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\"" C:\Users\Admin\AppData\Local\Temp\RarSFX1\serverbb.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ C:\Users\Admin\AppData\Local\Temp\RarSFX1\serverbb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\remcos = "\"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\"" C:\Users\Admin\AppData\Local\Temp\RarSFX1\serverbb.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Windows\CurrentVersion\Run\ C:\Users\Admin\AppData\Roaming\remcos\remcos.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\remcos = "\"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\"" C:\Users\Admin\AppData\Roaming\remcos\remcos.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ C:\Users\Admin\AppData\Roaming\remcos\remcos.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\remcos = "\"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\"" C:\Users\Admin\AppData\Roaming\remcos\remcos.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\RarSFX1\serverbb.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Roaming\remcos\remcos.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Roaming\remcos\remcos.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Roaming\remcos\remcos.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Roaming\remcos\remcos.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Roaming\remcos\remcos.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Roaming\remcos\remcos.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Roaming\remcos\remcos.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Roaming\remcos\remcos.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Roaming\remcos\remcos.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Roaming\remcos\remcos.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Roaming\remcos\remcos.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Roaming\remcos\remcos.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Roaming\remcos\remcos.exe N/A
File opened (read-only) \??\F: C:\Users\Admin\AppData\Roaming\remcos\remcos.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Roaming\remcos\remcos.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Roaming\remcos\remcos.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Roaming\remcos\remcos.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Roaming\remcos\remcos.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Roaming\remcos\remcos.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Roaming\remcos\remcos.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Roaming\remcos\remcos.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Roaming\remcos\remcos.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Roaming\remcos\remcos.exe N/A

Drops autorun.inf file

Description Indicator Process Target
File opened for modification C:\autorun.inf C:\Users\Admin\AppData\Roaming\remcos\remcos.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\PROGRAM FILES\7-ZIP\7zG.exe C:\Users\Admin\AppData\Roaming\remcos\remcos.exe N/A
File opened for modification C:\PROGRAM FILES\7-ZIP\Uninstall.exe C:\Users\Admin\AppData\Roaming\remcos\remcos.exe N/A
File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\appvcleaner.exe C:\Users\Admin\AppData\Roaming\remcos\remcos.exe N/A
File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\IntegratedOffice.exe C:\Users\Admin\AppData\Roaming\remcos\remcos.exe N/A
File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\OfficeClickToRun.exe C:\Users\Admin\AppData\Roaming\remcos\remcos.exe N/A
File opened for modification C:\PROGRAM FILES\7-ZIP\7z.exe C:\Users\Admin\AppData\Roaming\remcos\remcos.exe N/A
File opened for modification C:\PROGRAM FILES\7-ZIP\7zFM.exe C:\Users\Admin\AppData\Roaming\remcos\remcos.exe N/A
File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\AppVShNotify.exe C:\Users\Admin\AppData\Roaming\remcos\remcos.exe N/A
File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\InspectorOfficeGadget.exe C:\Users\Admin\AppData\Roaming\remcos\remcos.exe N/A
File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\MavInject32.exe C:\Users\Admin\AppData\Roaming\remcos\remcos.exe N/A
File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\OfficeC2RClient.exe C:\Users\Admin\AppData\Roaming\remcos\remcos.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\SYSTEM.INI C:\Users\Admin\AppData\Local\Temp\RarSFX1\serverbb.exe N/A

Enumerates physical storage devices

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX1\serverbb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX1\serverbb.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\remcos\remcos.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\remcos\remcos.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\remcos\remcos.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\remcos\remcos.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\remcos\remcos.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\remcos\remcos.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\remcos\remcos.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\remcos\remcos.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\remcos\remcos.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\remcos\remcos.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\remcos\remcos.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\remcos\remcos.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\remcos\remcos.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\remcos\remcos.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\remcos\remcos.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\remcos\remcos.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\remcos\remcos.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\remcos\remcos.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\remcos\remcos.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\remcos\remcos.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\remcos\remcos.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\remcos\remcos.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\remcos\remcos.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\remcos\remcos.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\remcos\remcos.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\remcos\remcos.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\remcos\remcos.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\remcos\remcos.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX1\serverbb.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX1\serverbb.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX1\serverbb.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX1\serverbb.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX1\serverbb.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX1\serverbb.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX1\serverbb.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX1\serverbb.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX1\serverbb.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX1\serverbb.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX1\serverbb.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX1\serverbb.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX1\serverbb.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX1\serverbb.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX1\serverbb.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX1\serverbb.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX1\serverbb.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX1\serverbb.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX1\serverbb.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX1\serverbb.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX1\serverbb.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX1\serverbb.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX1\serverbb.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX1\serverbb.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX1\serverbb.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX1\serverbb.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX1\serverbb.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX1\serverbb.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX1\serverbb.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX1\serverbb.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX1\serverbb.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX1\serverbb.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX1\serverbb.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX1\serverbb.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX1\serverbb.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX1\serverbb.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX1\serverbb.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX1\serverbb.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX1\serverbb.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX1\serverbb.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX1\serverbb.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX1\serverbb.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX1\serverbb.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX1\serverbb.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX1\serverbb.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX1\serverbb.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX1\serverbb.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX1\serverbb.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX1\serverbb.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX1\serverbb.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX1\serverbb.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX1\serverbb.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX1\serverbb.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX1\serverbb.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX1\serverbb.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX1\serverbb.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX1\serverbb.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX1\serverbb.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX1\serverbb.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX1\serverbb.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX1\serverbb.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX1\serverbb.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX1\serverbb.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX1\serverbb.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\remcos\remcos.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 920 wrote to memory of 3048 N/A C:\Users\Admin\AppData\Local\Temp\Bank Details.exe C:\Windows\SysWOW64\cmd.exe
PID 920 wrote to memory of 3048 N/A C:\Users\Admin\AppData\Local\Temp\Bank Details.exe C:\Windows\SysWOW64\cmd.exe
PID 920 wrote to memory of 3048 N/A C:\Users\Admin\AppData\Local\Temp\Bank Details.exe C:\Windows\SysWOW64\cmd.exe
PID 3048 wrote to memory of 2796 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\serverbb.sfx.exe
PID 3048 wrote to memory of 2796 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\serverbb.sfx.exe
PID 3048 wrote to memory of 2796 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\serverbb.sfx.exe
PID 2796 wrote to memory of 1576 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\serverbb.sfx.exe C:\Users\Admin\AppData\Local\Temp\RarSFX1\serverbb.exe
PID 2796 wrote to memory of 1576 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\serverbb.sfx.exe C:\Users\Admin\AppData\Local\Temp\RarSFX1\serverbb.exe
PID 2796 wrote to memory of 1576 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\serverbb.sfx.exe C:\Users\Admin\AppData\Local\Temp\RarSFX1\serverbb.exe
PID 1576 wrote to memory of 792 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX1\serverbb.exe C:\Windows\system32\fontdrvhost.exe
PID 1576 wrote to memory of 800 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX1\serverbb.exe C:\Windows\system32\fontdrvhost.exe
PID 1576 wrote to memory of 332 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX1\serverbb.exe C:\Windows\system32\dwm.exe
PID 1576 wrote to memory of 2292 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX1\serverbb.exe C:\Windows\system32\sihost.exe
PID 1576 wrote to memory of 2312 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX1\serverbb.exe C:\Windows\system32\svchost.exe
PID 1576 wrote to memory of 2416 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX1\serverbb.exe C:\Windows\system32\taskhostw.exe
PID 1576 wrote to memory of 2240 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX1\serverbb.exe C:\Windows\Explorer.EXE
PID 1576 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX1\serverbb.exe C:\Windows\system32\svchost.exe
PID 1576 wrote to memory of 3256 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX1\serverbb.exe C:\Windows\system32\DllHost.exe
PID 1576 wrote to memory of 3344 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX1\serverbb.exe C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
PID 1576 wrote to memory of 3408 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX1\serverbb.exe C:\Windows\System32\RuntimeBroker.exe
PID 1576 wrote to memory of 3500 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX1\serverbb.exe C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
PID 1576 wrote to memory of 3740 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX1\serverbb.exe C:\Windows\System32\RuntimeBroker.exe
PID 1576 wrote to memory of 1940 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX1\serverbb.exe C:\Windows\System32\RuntimeBroker.exe
PID 1576 wrote to memory of 920 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX1\serverbb.exe C:\Users\Admin\AppData\Local\Temp\Bank Details.exe
PID 1576 wrote to memory of 920 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX1\serverbb.exe C:\Users\Admin\AppData\Local\Temp\Bank Details.exe
PID 1576 wrote to memory of 3048 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX1\serverbb.exe C:\Windows\SysWOW64\cmd.exe
PID 1576 wrote to memory of 3048 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX1\serverbb.exe C:\Windows\SysWOW64\cmd.exe
PID 1576 wrote to memory of 1416 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX1\serverbb.exe C:\Windows\System32\Conhost.exe
PID 1576 wrote to memory of 2796 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX1\serverbb.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\serverbb.sfx.exe
PID 1576 wrote to memory of 2796 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX1\serverbb.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\serverbb.sfx.exe
PID 1576 wrote to memory of 3084 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX1\serverbb.exe C:\Windows\SysWOW64\cmd.exe
PID 1576 wrote to memory of 3084 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX1\serverbb.exe C:\Windows\SysWOW64\cmd.exe
PID 1576 wrote to memory of 3084 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX1\serverbb.exe C:\Windows\SysWOW64\cmd.exe
PID 3084 wrote to memory of 2264 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 3084 wrote to memory of 2264 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 3084 wrote to memory of 2264 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 3084 wrote to memory of 1048 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
PID 3084 wrote to memory of 1048 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
PID 3084 wrote to memory of 1048 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
PID 1048 wrote to memory of 792 N/A C:\Users\Admin\AppData\Roaming\remcos\remcos.exe C:\Windows\system32\fontdrvhost.exe
PID 1048 wrote to memory of 800 N/A C:\Users\Admin\AppData\Roaming\remcos\remcos.exe C:\Windows\system32\fontdrvhost.exe
PID 1048 wrote to memory of 332 N/A C:\Users\Admin\AppData\Roaming\remcos\remcos.exe C:\Windows\system32\dwm.exe
PID 1048 wrote to memory of 2292 N/A C:\Users\Admin\AppData\Roaming\remcos\remcos.exe C:\Windows\system32\sihost.exe
PID 1048 wrote to memory of 2312 N/A C:\Users\Admin\AppData\Roaming\remcos\remcos.exe C:\Windows\system32\svchost.exe
PID 1048 wrote to memory of 2416 N/A C:\Users\Admin\AppData\Roaming\remcos\remcos.exe C:\Windows\system32\taskhostw.exe
PID 1048 wrote to memory of 2240 N/A C:\Users\Admin\AppData\Roaming\remcos\remcos.exe C:\Windows\Explorer.EXE
PID 1048 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Roaming\remcos\remcos.exe C:\Windows\system32\svchost.exe
PID 1048 wrote to memory of 3256 N/A C:\Users\Admin\AppData\Roaming\remcos\remcos.exe C:\Windows\system32\DllHost.exe
PID 1048 wrote to memory of 3344 N/A C:\Users\Admin\AppData\Roaming\remcos\remcos.exe C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
PID 1048 wrote to memory of 3408 N/A C:\Users\Admin\AppData\Roaming\remcos\remcos.exe C:\Windows\System32\RuntimeBroker.exe
PID 1048 wrote to memory of 3500 N/A C:\Users\Admin\AppData\Roaming\remcos\remcos.exe C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
PID 1048 wrote to memory of 3740 N/A C:\Users\Admin\AppData\Roaming\remcos\remcos.exe C:\Windows\System32\RuntimeBroker.exe
PID 1048 wrote to memory of 1940 N/A C:\Users\Admin\AppData\Roaming\remcos\remcos.exe C:\Windows\System32\RuntimeBroker.exe
PID 1048 wrote to memory of 1416 N/A C:\Users\Admin\AppData\Roaming\remcos\remcos.exe C:\Windows\System32\Conhost.exe
PID 1048 wrote to memory of 792 N/A C:\Users\Admin\AppData\Roaming\remcos\remcos.exe C:\Windows\system32\fontdrvhost.exe
PID 1048 wrote to memory of 800 N/A C:\Users\Admin\AppData\Roaming\remcos\remcos.exe C:\Windows\system32\fontdrvhost.exe
PID 1048 wrote to memory of 332 N/A C:\Users\Admin\AppData\Roaming\remcos\remcos.exe C:\Windows\system32\dwm.exe
PID 1048 wrote to memory of 2292 N/A C:\Users\Admin\AppData\Roaming\remcos\remcos.exe C:\Windows\system32\sihost.exe
PID 1048 wrote to memory of 2312 N/A C:\Users\Admin\AppData\Roaming\remcos\remcos.exe C:\Windows\system32\svchost.exe
PID 1048 wrote to memory of 2416 N/A C:\Users\Admin\AppData\Roaming\remcos\remcos.exe C:\Windows\system32\taskhostw.exe
PID 1048 wrote to memory of 2240 N/A C:\Users\Admin\AppData\Roaming\remcos\remcos.exe C:\Windows\Explorer.EXE
PID 1048 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Roaming\remcos\remcos.exe C:\Windows\system32\svchost.exe
PID 1048 wrote to memory of 3256 N/A C:\Users\Admin\AppData\Roaming\remcos\remcos.exe C:\Windows\system32\DllHost.exe
PID 1048 wrote to memory of 3344 N/A C:\Users\Admin\AppData\Roaming\remcos\remcos.exe C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\RarSFX1\serverbb.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Roaming\remcos\remcos.exe N/A

Processes

C:\Windows\system32\dwm.exe

"dwm.exe"

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Windows\system32\taskhostw.exe

taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc

C:\Windows\system32\sihost.exe

sihost.exe

C:\Windows\system32\fontdrvhost.exe

"fontdrvhost.exe"

C:\Windows\system32\fontdrvhost.exe

"fontdrvhost.exe"

C:\Users\Admin\AppData\Local\Temp\Bank Details.exe

"C:\Users\Admin\AppData\Local\Temp\Bank Details.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX0\xxawaeszfers43s3d43ec.bat" "

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\RarSFX0\serverbb.sfx.exe

serverbb.sfx.exe -piiasedfdsegg09o0i8i0i -dC:\Users\Admin\AppData\Local\Temp

C:\Users\Admin\AppData\Local\Temp\RarSFX1\serverbb.exe

"C:\Users\Admin\AppData\Local\Temp\RarSFX1\serverbb.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\install.bat" "

C:\Windows\SysWOW64\PING.EXE

PING 127.0.0.1 -n 2

C:\Users\Admin\AppData\Roaming\remcos\remcos.exe

"C:\Users\Admin\AppData\Roaming\remcos\remcos.exe"

Network

Country Destination Domain Proto
NL 67.26.109.254:80 tcp
MD 178.175.138.219:200 tcp
NL 67.26.109.254:80 tcp
US 8.253.135.241:80 tcp
MD 178.175.138.219:200 tcp
US 20.189.173.12:443 tcp
NL 104.110.191.140:80 tcp
NL 104.110.191.140:80 tcp
NL 178.79.208.1:80 tcp
MD 178.175.138.219:200 tcp
MD 178.175.138.219:200 tcp
MD 178.175.138.219:200 tcp
MD 178.175.138.219:200 tcp

Files

memory/3048-130-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\RarSFX0\xxawaeszfers43s3d43ec.bat

MD5 e06f4ac29c4328f453637b572b8aeb0d
SHA1 c8a87ca47c44938b374ee225d6df5b86facc6af9
SHA256 6700e5fdb3c3c29c207d0c456d94b9e18536d77839724e94da6c34491f96c927
SHA512 42e9430a80af2c400440ae259b752e69f665048352dcacd558f0e3f4096bcdeccd81ecf129e3c3533831fa5187faf4fc28efd2b8f2c671f90137c216bd6d2eec

memory/2796-132-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\RarSFX0\serverbb.sfx.exe

MD5 e6121feb0325525065baad0db96fee62
SHA1 0f1a671a5d360c33648e065c4f19a0a8fef276ff
SHA256 1d72b61cc04f1f4da847b4950e6cf70aaac16a05677e4f0635c06e7ff376ae59
SHA512 72e4eb808e896cf9ffb03b7f97948c7fc98662b71fece805acdcd9c7c3e0c787f1ee939eef4e26dc7558d83ad00cbd0784e5dc5a8dca8e82181e947e8f8a69f3

C:\Users\Admin\AppData\Local\Temp\RarSFX0\serverbb.sfx.exe

MD5 e6121feb0325525065baad0db96fee62
SHA1 0f1a671a5d360c33648e065c4f19a0a8fef276ff
SHA256 1d72b61cc04f1f4da847b4950e6cf70aaac16a05677e4f0635c06e7ff376ae59
SHA512 72e4eb808e896cf9ffb03b7f97948c7fc98662b71fece805acdcd9c7c3e0c787f1ee939eef4e26dc7558d83ad00cbd0784e5dc5a8dca8e82181e947e8f8a69f3

memory/1576-135-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\RarSFX1\serverbb.exe

MD5 e59cef15630374087f1223583760f64c
SHA1 b3b4449055b6f6da3c14a01785ce95ac817179d5
SHA256 38d8f89f5478c51f2c3662fc52282d16ce38d6c78823bca726306b0d9bb7c9c6
SHA512 9928bcdd296be8f3de666e1a440cdd778cb6d6621c62a6d5c4e104d5df25f7ab445c0d3ddc552c9847bb0c149e00fb7992233d2ce279178f6866e8b89eae9652

C:\Users\Admin\AppData\Local\Temp\RarSFX1\serverbb.exe

MD5 e59cef15630374087f1223583760f64c
SHA1 b3b4449055b6f6da3c14a01785ce95ac817179d5
SHA256 38d8f89f5478c51f2c3662fc52282d16ce38d6c78823bca726306b0d9bb7c9c6
SHA512 9928bcdd296be8f3de666e1a440cdd778cb6d6621c62a6d5c4e104d5df25f7ab445c0d3ddc552c9847bb0c149e00fb7992233d2ce279178f6866e8b89eae9652

memory/1576-138-0x0000000002320000-0x00000000033AE000-memory.dmp

memory/1576-139-0x0000000000400000-0x0000000000429000-memory.dmp

memory/3084-141-0x0000000000000000-mapping.dmp

memory/1576-140-0x0000000002320000-0x00000000033AE000-memory.dmp

memory/1576-142-0x0000000000400000-0x0000000000429000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\install.bat

MD5 76c1687d97dfdbcea62ef1490bec5001
SHA1 5f4d1aeafa7d840cde67b76f97416dd68efd1bed
SHA256 79f04ea049979ffd2232c459fdd57fae97a5255aea9b4a2c7dce7ead856f37a4
SHA512 da250f0628632a644f159d818a82a8b9cca8224e46843bddbe0f6f9c32a2d04f7736a620af49ab6d77616317ca7d68285e60043965fe86c03d940835bd30a925

memory/2264-144-0x0000000000000000-mapping.dmp

memory/1048-145-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\remcos\remcos.exe

MD5 e59cef15630374087f1223583760f64c
SHA1 b3b4449055b6f6da3c14a01785ce95ac817179d5
SHA256 38d8f89f5478c51f2c3662fc52282d16ce38d6c78823bca726306b0d9bb7c9c6
SHA512 9928bcdd296be8f3de666e1a440cdd778cb6d6621c62a6d5c4e104d5df25f7ab445c0d3ddc552c9847bb0c149e00fb7992233d2ce279178f6866e8b89eae9652

C:\Users\Admin\AppData\Roaming\remcos\remcos.exe

MD5 e59cef15630374087f1223583760f64c
SHA1 b3b4449055b6f6da3c14a01785ce95ac817179d5
SHA256 38d8f89f5478c51f2c3662fc52282d16ce38d6c78823bca726306b0d9bb7c9c6
SHA512 9928bcdd296be8f3de666e1a440cdd778cb6d6621c62a6d5c4e104d5df25f7ab445c0d3ddc552c9847bb0c149e00fb7992233d2ce279178f6866e8b89eae9652

memory/1048-148-0x00000000021E0000-0x000000000326E000-memory.dmp

C:\Windows\SYSTEM.INI

MD5 3f28f380b272edcf1e085aecae145e46
SHA1 fce2da2ef2a49cfa4b077c3e56dd051731942a53
SHA256 43c6033b11076f1fceeaff17637764a07eabed48746068b099308e24f4e63b68
SHA512 528b2289bd13764a266f03642696c34935e93584a60da858f3001eb78801c8aa48a4cb9def9d6bc5f4c0307d0485f91e6603b0f21cd0a756d740d1e960b42f05

memory/1048-150-0x0000000000400000-0x0000000000429000-memory.dmp

memory/1048-151-0x00000000021E0000-0x000000000326E000-memory.dmp

memory/1048-152-0x00000000021E0000-0x000000000326E000-memory.dmp

memory/1048-153-0x0000000000400000-0x0000000000429000-memory.dmp

Analysis: behavioral5

Detonation Overview

Submitted

2022-07-12 12:35

Reported

2022-07-12 18:25

Platform

win7-20220414-en

Max time kernel

148s

Max time network

152s

Command Line

java -jar "C:\Users\Admin\AppData\Local\Temp\invoice for the payment.jar"

Signatures

AdWind

trojan adwind

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Windows\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" C:\Windows\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Windows\regedit.exe N/A

Disables Task Manager via registry modification

evasion

Disables use of System Restore points

evasion

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Oracle\bin\javaw.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Oracle\bin\java.exe N/A

Sets file execution options in registry

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\BavTray.exe\debugger = "svchost.exe" C:\Windows\regedit.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\text2pcap.exe\debugger = "svchost.exe" C:\Windows\regedit.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nvoy.exe C:\Windows\regedit.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FCHelper64.exe\debugger = "svchost.exe" C:\Windows\regedit.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FortiESNAC.exe\debugger = "svchost.exe" C:\Windows\regedit.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\econser.exe C:\Windows\regedit.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\freshclamwrap.exe C:\Windows\regedit.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FilUp.exe\debugger = "svchost.exe" C:\Windows\regedit.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\escanpro.exe C:\Windows\regedit.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\EMLPROXY.EXE\debugger = "svchost.exe" C:\Windows\regedit.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nnf.exe C:\Windows\regedit.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nseupdatesvc.exe\debugger = "svchost.exe" C:\Windows\regedit.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nprosec.exe\debugger = "svchost.exe" C:\Windows\regedit.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SCANWSCS.EXE C:\Windows\regedit.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\uiUpdateTray.exe C:\Windows\regedit.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MCShieldRTM.exe C:\Windows\regedit.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\TRAYICOS.EXE\debugger = "svchost.exe" C:\Windows\regedit.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\fshoster32.exe\debugger = "svchost.exe" C:\Windows\regedit.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SUPERAntiSpyware.exe C:\Windows\regedit.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\uiSeAgnt.exe\debugger = "svchost.exe" C:\Windows\regedit.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PtSessionAgent.exe\debugger = "svchost.exe" C:\Windows\regedit.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mbamscheduler.exe C:\Windows\regedit.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nvoy.exe\debugger = "svchost.exe" C:\Windows\regedit.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\TRAYSSER.EXE C:\Windows\regedit.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FPWin.exe C:\Windows\regedit.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AVKWCtlx64.exe C:\Windows\regedit.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nanosvc.exe\debugger = "svchost.exe" C:\Windows\regedit.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nanoav.exe\debugger = "svchost.exe" C:\Windows\regedit.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\uiSeAgnt.exe C:\Windows\regedit.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ConfigSecurityPolicy.exe\debugger = "svchost.exe" C:\Windows\regedit.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tshark.exe\debugger = "svchost.exe" C:\Windows\regedit.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\twsscan.exe C:\Windows\regedit.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\coreServiceShell.exe C:\Windows\regedit.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SDWelcome.exe\debugger = "svchost.exe" C:\Windows\regedit.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\K7SysMon.Exe C:\Windows\regedit.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\utsvc.exe C:\Windows\regedit.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\zlhh.exe C:\Windows\regedit.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SASCore64.exe\debugger = "svchost.exe" C:\Windows\regedit.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PtWatchDog.exe\debugger = "svchost.exe" C:\Windows\regedit.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\bavhm.exe\debugger = "svchost.exe" C:\Windows\regedit.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FortiSSLVPNdaemon.exe C:\Windows\regedit.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mergecap.exe\debugger = "svchost.exe" C:\Windows\regedit.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FPAVServer.exe\debugger = "svchost.exe" C:\Windows\regedit.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MpCmdRun.exe C:\Windows\regedit.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mbam.exe C:\Windows\regedit.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\BullGuarScanner.exe\debugger = "svchost.exe" C:\Windows\regedit.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ClamTray.exe C:\Windows\regedit.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AVKWCtlx64.exe\debugger = "svchost.exe" C:\Windows\regedit.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nfservice.exe C:\Windows\regedit.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe C:\Windows\regedit.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MsMpEng.exe\debugger = "svchost.exe" C:\Windows\regedit.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\filwscc.exe C:\Windows\regedit.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MCShieldCCC.exe C:\Windows\regedit.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SDTray.exe C:\Windows\regedit.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\K7CrvSvc.exe\debugger = "svchost.exe" C:\Windows\regedit.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SBAMTray.exe\debugger = "svchost.exe" C:\Windows\regedit.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\OPSSVC.EXE C:\Windows\regedit.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MCShieldCCC.exe\debugger = "svchost.exe" C:\Windows\regedit.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FilMsg.exe C:\Windows\regedit.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\clamscan.exe\debugger = "svchost.exe" C:\Windows\regedit.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nvcsvc.exe C:\Windows\regedit.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\K7PSSrvc.exe\debugger = "svchost.exe" C:\Windows\regedit.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nbrowser.exe C:\Windows\regedit.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PtSvcHost.exe\debugger = "svchost.exe" C:\Windows\regedit.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\system32\java.exe N/A
N/A N/A C:\Windows\system32\java.exe N/A
N/A N/A C:\Windows\system32\java.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Oracle\bin\javaw.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Oracle\bin\javaw.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Oracle\bin\javaw.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Oracle\bin\javaw.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Oracle\bin\javaw.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Oracle\bin\javaw.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Oracle\bin\javaw.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Oracle\bin\javaw.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Oracle\bin\java.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Oracle\bin\java.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Oracle\bin\java.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Oracle\bin\java.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Oracle\bin\javaw.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Oracle\bin\java.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Oracle\bin\java.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Oracle\bin\java.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Oracle\bin\javaw.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Oracle\bin\java.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Oracle\bin\java.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Oracle\bin\javaw.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Oracle\bin\javaw.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Oracle\bin\java.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Oracle\bin\java.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows\CurrentVersion\Run\ZflezdoejVf = "\"C:\\Users\\Admin\\AppData\\Roaming\\Oracle\\bin\\javaw.exe\" -jar \"C:\\Users\\Admin\\bvVnJXUxDkt\\suMzvbAwWtM.vrqiBR\"" C:\Windows\system32\reg.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\System32\test.txt C:\Users\Admin\AppData\Roaming\Oracle\bin\java.exe N/A
File created C:\Windows\System32\test.txt C:\Windows\system32\java.exe N/A
File opened for modification C:\Windows\System32\test.txt C:\Users\Admin\AppData\Roaming\Oracle\bin\javaw.exe N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\system32\reg.exe N/A

Runs .reg file with regedit

Description Indicator Process Target
N/A N/A C:\Windows\regedit.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1948 wrote to memory of 2016 N/A C:\Windows\system32\java.exe C:\Program Files\Java\jre7\bin\java.exe
PID 1948 wrote to memory of 2016 N/A C:\Windows\system32\java.exe C:\Program Files\Java\jre7\bin\java.exe
PID 1948 wrote to memory of 2016 N/A C:\Windows\system32\java.exe C:\Program Files\Java\jre7\bin\java.exe
PID 1948 wrote to memory of 1336 N/A C:\Windows\system32\java.exe C:\Windows\system32\cmd.exe
PID 1948 wrote to memory of 1336 N/A C:\Windows\system32\java.exe C:\Windows\system32\cmd.exe
PID 1948 wrote to memory of 1336 N/A C:\Windows\system32\java.exe C:\Windows\system32\cmd.exe
PID 2016 wrote to memory of 1976 N/A C:\Program Files\Java\jre7\bin\java.exe C:\Windows\system32\cmd.exe
PID 2016 wrote to memory of 1976 N/A C:\Program Files\Java\jre7\bin\java.exe C:\Windows\system32\cmd.exe
PID 2016 wrote to memory of 1976 N/A C:\Program Files\Java\jre7\bin\java.exe C:\Windows\system32\cmd.exe
PID 1976 wrote to memory of 2028 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cscript.exe
PID 1976 wrote to memory of 2028 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cscript.exe
PID 1976 wrote to memory of 2028 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cscript.exe
PID 1336 wrote to memory of 1384 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cscript.exe
PID 1336 wrote to memory of 1384 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cscript.exe
PID 1336 wrote to memory of 1384 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cscript.exe
PID 2016 wrote to memory of 888 N/A C:\Program Files\Java\jre7\bin\java.exe C:\Windows\system32\cmd.exe
PID 2016 wrote to memory of 888 N/A C:\Program Files\Java\jre7\bin\java.exe C:\Windows\system32\cmd.exe
PID 2016 wrote to memory of 888 N/A C:\Program Files\Java\jre7\bin\java.exe C:\Windows\system32\cmd.exe
PID 888 wrote to memory of 1724 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cscript.exe
PID 888 wrote to memory of 1724 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cscript.exe
PID 888 wrote to memory of 1724 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cscript.exe
PID 1948 wrote to memory of 1560 N/A C:\Windows\system32\java.exe C:\Windows\system32\cmd.exe
PID 1948 wrote to memory of 1560 N/A C:\Windows\system32\java.exe C:\Windows\system32\cmd.exe
PID 1948 wrote to memory of 1560 N/A C:\Windows\system32\java.exe C:\Windows\system32\cmd.exe
PID 1560 wrote to memory of 972 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cscript.exe
PID 1560 wrote to memory of 972 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cscript.exe
PID 1560 wrote to memory of 972 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cscript.exe
PID 2016 wrote to memory of 976 N/A C:\Program Files\Java\jre7\bin\java.exe C:\Windows\system32\xcopy.exe
PID 2016 wrote to memory of 976 N/A C:\Program Files\Java\jre7\bin\java.exe C:\Windows\system32\xcopy.exe
PID 2016 wrote to memory of 976 N/A C:\Program Files\Java\jre7\bin\java.exe C:\Windows\system32\xcopy.exe
PID 1948 wrote to memory of 1080 N/A C:\Windows\system32\java.exe C:\Windows\system32\xcopy.exe
PID 1948 wrote to memory of 1080 N/A C:\Windows\system32\java.exe C:\Windows\system32\xcopy.exe
PID 1948 wrote to memory of 1080 N/A C:\Windows\system32\java.exe C:\Windows\system32\xcopy.exe
PID 1948 wrote to memory of 1508 N/A C:\Windows\system32\java.exe C:\Windows\system32\cmd.exe
PID 1948 wrote to memory of 1508 N/A C:\Windows\system32\java.exe C:\Windows\system32\cmd.exe
PID 1948 wrote to memory of 1508 N/A C:\Windows\system32\java.exe C:\Windows\system32\cmd.exe
PID 1948 wrote to memory of 556 N/A C:\Windows\system32\java.exe C:\Windows\system32\reg.exe
PID 1948 wrote to memory of 556 N/A C:\Windows\system32\java.exe C:\Windows\system32\reg.exe
PID 1948 wrote to memory of 556 N/A C:\Windows\system32\java.exe C:\Windows\system32\reg.exe
PID 1948 wrote to memory of 1732 N/A C:\Windows\system32\java.exe C:\Windows\system32\attrib.exe
PID 1948 wrote to memory of 1732 N/A C:\Windows\system32\java.exe C:\Windows\system32\attrib.exe
PID 1948 wrote to memory of 1732 N/A C:\Windows\system32\java.exe C:\Windows\system32\attrib.exe
PID 1948 wrote to memory of 1904 N/A C:\Windows\system32\java.exe C:\Windows\system32\attrib.exe
PID 1948 wrote to memory of 1904 N/A C:\Windows\system32\java.exe C:\Windows\system32\attrib.exe
PID 1948 wrote to memory of 1904 N/A C:\Windows\system32\java.exe C:\Windows\system32\attrib.exe
PID 1948 wrote to memory of 1928 N/A C:\Windows\system32\java.exe C:\Users\Admin\AppData\Roaming\Oracle\bin\javaw.exe
PID 1948 wrote to memory of 1928 N/A C:\Windows\system32\java.exe C:\Users\Admin\AppData\Roaming\Oracle\bin\javaw.exe
PID 1948 wrote to memory of 1928 N/A C:\Windows\system32\java.exe C:\Users\Admin\AppData\Roaming\Oracle\bin\javaw.exe
PID 1928 wrote to memory of 772 N/A C:\Users\Admin\AppData\Roaming\Oracle\bin\javaw.exe C:\Users\Admin\AppData\Roaming\Oracle\bin\java.exe
PID 1928 wrote to memory of 772 N/A C:\Users\Admin\AppData\Roaming\Oracle\bin\javaw.exe C:\Users\Admin\AppData\Roaming\Oracle\bin\java.exe
PID 1928 wrote to memory of 772 N/A C:\Users\Admin\AppData\Roaming\Oracle\bin\javaw.exe C:\Users\Admin\AppData\Roaming\Oracle\bin\java.exe
PID 1928 wrote to memory of 1984 N/A C:\Users\Admin\AppData\Roaming\Oracle\bin\javaw.exe C:\Windows\system32\cmd.exe
PID 1928 wrote to memory of 1984 N/A C:\Users\Admin\AppData\Roaming\Oracle\bin\javaw.exe C:\Windows\system32\cmd.exe
PID 1928 wrote to memory of 1984 N/A C:\Users\Admin\AppData\Roaming\Oracle\bin\javaw.exe C:\Windows\system32\cmd.exe
PID 1984 wrote to memory of 1720 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cscript.exe
PID 1984 wrote to memory of 1720 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cscript.exe
PID 1984 wrote to memory of 1720 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cscript.exe
PID 772 wrote to memory of 1108 N/A C:\Users\Admin\AppData\Roaming\Oracle\bin\java.exe C:\Windows\system32\cmd.exe
PID 772 wrote to memory of 1108 N/A C:\Users\Admin\AppData\Roaming\Oracle\bin\java.exe C:\Windows\system32\cmd.exe
PID 772 wrote to memory of 1108 N/A C:\Users\Admin\AppData\Roaming\Oracle\bin\java.exe C:\Windows\system32\cmd.exe
PID 1928 wrote to memory of 984 N/A C:\Users\Admin\AppData\Roaming\Oracle\bin\javaw.exe C:\Windows\system32\cmd.exe
PID 1928 wrote to memory of 984 N/A C:\Users\Admin\AppData\Roaming\Oracle\bin\javaw.exe C:\Windows\system32\cmd.exe
PID 1928 wrote to memory of 984 N/A C:\Users\Admin\AppData\Roaming\Oracle\bin\javaw.exe C:\Windows\system32\cmd.exe
PID 984 wrote to memory of 732 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cscript.exe

Views/modifies file attributes

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\attrib.exe N/A
N/A N/A C:\Windows\system32\attrib.exe N/A

Processes

C:\Windows\system32\java.exe

java -jar "C:\Users\Admin\AppData\Local\Temp\invoice for the payment.jar"

C:\Program Files\Java\jre7\bin\java.exe

"C:\Program Files\Java\jre7\bin\java.exe" -jar C:\Users\Admin\AppData\Local\Temp\_0.342289545397438837758811374804571086.class

C:\Windows\system32\cmd.exe

cmd.exe /C cscript.exe C:\Users\Admin\AppData\Local\Temp\Retrive5733098782243061568.vbs

C:\Windows\system32\cmd.exe

cmd.exe /C cscript.exe C:\Users\Admin\AppData\Local\Temp\Retrive7397763516254293448.vbs

C:\Windows\system32\cscript.exe

cscript.exe C:\Users\Admin\AppData\Local\Temp\Retrive7397763516254293448.vbs

C:\Windows\system32\cscript.exe

cscript.exe C:\Users\Admin\AppData\Local\Temp\Retrive5733098782243061568.vbs

C:\Windows\system32\cmd.exe

cmd.exe /C cscript.exe C:\Users\Admin\AppData\Local\Temp\Retrive3259974879170977603.vbs

C:\Windows\system32\cscript.exe

cscript.exe C:\Users\Admin\AppData\Local\Temp\Retrive3259974879170977603.vbs

C:\Windows\system32\cmd.exe

cmd.exe /C cscript.exe C:\Users\Admin\AppData\Local\Temp\Retrive4679470186179004466.vbs

C:\Windows\system32\cscript.exe

cscript.exe C:\Users\Admin\AppData\Local\Temp\Retrive4679470186179004466.vbs

C:\Windows\system32\xcopy.exe

xcopy "C:\Program Files\Java\jre7" "C:\Users\Admin\AppData\Roaming\Oracle\" /e

C:\Windows\system32\xcopy.exe

xcopy "C:\Program Files\Java\jre7" "C:\Users\Admin\AppData\Roaming\Oracle\" /e

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v ZflezdoejVf /t REG_EXPAND_SZ /d "\"C:\Users\Admin\AppData\Roaming\Oracle\bin\javaw.exe\" -jar \"C:\Users\Admin\bvVnJXUxDkt\suMzvbAwWtM.vrqiBR\"" /f

C:\Windows\system32\attrib.exe

attrib +h "C:\Users\Admin\bvVnJXUxDkt\*.*"

C:\Windows\system32\attrib.exe

attrib +h "C:\Users\Admin\bvVnJXUxDkt"

C:\Users\Admin\AppData\Roaming\Oracle\bin\javaw.exe

C:\Users\Admin\AppData\Roaming\Oracle\bin\javaw.exe -jar C:\Users\Admin\bvVnJXUxDkt\suMzvbAwWtM.vrqiBR

C:\Users\Admin\AppData\Roaming\Oracle\bin\java.exe

C:\Users\Admin\AppData\Roaming\Oracle\bin\java.exe -jar C:\Users\Admin\AppData\Local\Temp\_0.08401529177074585868909012934459593.class

C:\Windows\system32\cmd.exe

cmd.exe /C cscript.exe C:\Users\Admin\AppData\Local\Temp\Retrive5381962756983221983.vbs

C:\Windows\system32\cscript.exe

cscript.exe C:\Users\Admin\AppData\Local\Temp\Retrive5381962756983221983.vbs

C:\Windows\system32\cmd.exe

cmd.exe /C cscript.exe C:\Users\Admin\AppData\Local\Temp\Retrive1389535222514546923.vbs

C:\Windows\system32\cmd.exe

cmd.exe /C cscript.exe C:\Users\Admin\AppData\Local\Temp\Retrive918936036628501706.vbs

C:\Windows\system32\cscript.exe

cscript.exe C:\Users\Admin\AppData\Local\Temp\Retrive1389535222514546923.vbs

C:\Windows\system32\cscript.exe

cscript.exe C:\Users\Admin\AppData\Local\Temp\Retrive918936036628501706.vbs

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe /C cscript.exe C:\Users\Admin\AppData\Local\Temp\Retrive8067574507443698914.vbs

C:\Windows\system32\cscript.exe

cscript.exe C:\Users\Admin\AppData\Local\Temp\Retrive8067574507443698914.vbs

C:\Windows\system32\cmd.exe

cmd.exe

C:\Windows\system32\cmd.exe

cmd.exe /c regedit.exe /s C:\Users\Admin\AppData\Local\Temp\WbQaYOKndE338279437443529972.reg

C:\Windows\system32\taskkill.exe

taskkill /IM UserAccountControlSettings.exe /T /F

C:\Windows\regedit.exe

regedit.exe /s C:\Users\Admin\AppData\Local\Temp\WbQaYOKndE338279437443529972.reg

C:\Windows\system32\taskkill.exe

taskkill /IM Taskmgr.exe /T /F

C:\Windows\system32\taskkill.exe

taskkill /IM ProcessHacker.exe /T /F

C:\Windows\system32\taskkill.exe

taskkill /IM procexp.exe /T /F

C:\Windows\system32\taskkill.exe

taskkill /IM MSASCui.exe /T /F

C:\Windows\system32\taskkill.exe

taskkill /IM MsMpEng.exe /T /F

C:\Windows\system32\taskkill.exe

taskkill /IM MpUXSrv.exe /T /F

C:\Windows\system32\taskkill.exe

taskkill /IM MpCmdRun.exe /T /F

C:\Windows\system32\taskkill.exe

taskkill /IM NisSrv.exe /T /F

C:\Windows\system32\taskkill.exe

taskkill /IM ConfigSecurityPolicy.exe /T /F

C:\Windows\system32\taskkill.exe

taskkill /IM procexp.exe /T /F

C:\Windows\system32\taskkill.exe

taskkill /IM wireshark.exe /T /F

C:\Windows\system32\taskkill.exe

taskkill /IM tshark.exe /T /F

C:\Windows\system32\taskkill.exe

taskkill /IM text2pcap.exe /T /F

C:\Windows\system32\taskkill.exe

taskkill /IM rawshark.exe /T /F

C:\Windows\system32\taskkill.exe

taskkill /IM mergecap.exe /T /F

C:\Windows\system32\taskkill.exe

taskkill /IM editcap.exe /T /F

C:\Windows\system32\taskkill.exe

taskkill /IM dumpcap.exe /T /F

C:\Windows\system32\taskkill.exe

taskkill /IM capinfos.exe /T /F

C:\Windows\system32\taskkill.exe

taskkill /IM mbam.exe /T /F

C:\Windows\system32\taskkill.exe

taskkill /IM mbamscheduler.exe /T /F

C:\Windows\system32\taskkill.exe

taskkill /IM mbamservice.exe /T /F

C:\Windows\system32\taskkill.exe

taskkill /IM AdAwareService.exe /T /F

C:\Windows\system32\taskkill.exe

taskkill /IM AdAwareTray.exe /T /F

C:\Windows\system32\taskkill.exe

taskkill /IM WebCompanion.exe /T /F

C:\Windows\system32\taskkill.exe

taskkill /IM AdAwareDesktop.exe /T /F

C:\Windows\system32\taskkill.exe

taskkill /IM V3Main.exe /T /F

C:\Windows\system32\taskkill.exe

taskkill /IM V3Svc.exe /T /F

C:\Windows\system32\taskkill.exe

taskkill /IM V3Up.exe /T /F

C:\Windows\system32\taskkill.exe

taskkill /IM V3SP.exe /T /F

C:\Windows\system32\taskkill.exe

taskkill /IM V3Proxy.exe /T /F

C:\Windows\system32\taskkill.exe

taskkill /IM V3Medic.exe /T /F

C:\Windows\system32\taskkill.exe

taskkill /IM BgScan.exe /T /F

C:\Windows\system32\taskkill.exe

taskkill /IM BullGuard.exe /T /F

C:\Windows\system32\taskkill.exe

taskkill /IM BullGuardBhvScanner.exe /T /F

C:\Windows\system32\taskkill.exe

taskkill /IM BullGuarScanner.exe /T /F

C:\Windows\system32\taskkill.exe

taskkill /IM LittleHook.exe /T /F

C:\Windows\system32\taskkill.exe

taskkill /IM BullGuardUpdate.exe /T /F

C:\Windows\system32\taskkill.exe

taskkill /IM clamscan.exe /T /F

Network

Country Destination Domain Proto
MD 178.175.138.219:441 tcp
N/A 127.0.0.1:7777 tcp
N/A 127.0.0.1:7777 tcp
N/A 127.0.0.1:7777 tcp
N/A 127.0.0.1:7777 tcp
N/A 127.0.0.1:7777 tcp
MD 178.175.138.219:441 tcp
N/A 127.0.0.1:7777 tcp
N/A 127.0.0.1:7777 tcp
N/A 127.0.0.1:7777 tcp
N/A 127.0.0.1:7777 tcp
N/A 127.0.0.1:7777 tcp
MD 178.175.138.219:441 tcp
N/A 127.0.0.1:7777 tcp
N/A 127.0.0.1:7777 tcp
N/A 127.0.0.1:7777 tcp
N/A 127.0.0.1:7777 tcp

Files

memory/1948-54-0x000007FEFC021000-0x000007FEFC023000-memory.dmp

memory/1948-61-0x0000000002370000-0x0000000005370000-memory.dmp

memory/2016-65-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\_0.342289545397438837758811374804571086.class

MD5 781fb531354d6f291f1ccab48da6d39f
SHA1 9ce4518ebcb5be6d1f0b5477fa00c26860fe9a68
SHA256 97d585b6aff62fb4e43e7e6a5f816dcd7a14be11a88b109a9ba9e8cd4c456eb9
SHA512 3e6630f5feb4a3eb1dac7e9125ce14b1a2a45d7415cf44cea42bc51b2a9aa37169ee4a4c36c888c8f2696e7d6e298e2ad7b2f4c22868aaa5948210eb7db220d8

memory/2016-77-0x0000000002280000-0x0000000005280000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-1819626980-2277161760-1023733287-1000\83aa4cc77f591dfc2374580bbd95f6ba_e0ffcd78-9b22-40d1-a23f-5e55cdd3b217

MD5 c8366ae350e7019aefc9d1e6e6a498c6
SHA1 5731d8a3e6568a5f2dfbbc87e3db9637df280b61
SHA256 11e6aca8e682c046c83b721eeb5c72c5ef03cb5936c60df6f4993511ddc61238
SHA512 33c980d5a638bfc791de291ebf4b6d263b384247ab27f261a54025108f2f85374b579a026e545f81395736dd40fa4696f2163ca17640dd47f1c42bc9971b18cd

memory/1976-82-0x0000000000000000-mapping.dmp

memory/1336-81-0x0000000000000000-mapping.dmp

memory/2028-83-0x0000000000000000-mapping.dmp

memory/1384-84-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\Retrive7397763516254293448.vbs

MD5 3bdfd33017806b85949b6faa7d4b98e4
SHA1 f92844fee69ef98db6e68931adfaa9a0a0f8ce66
SHA256 9da575dd2d5b7c1e9bab8b51a16cde457b3371c6dcdb0537356cf1497fa868f6
SHA512 ae5e5686ae71edef53e71cd842cb6799e4383b9c238a5c361b81647efa128d2fedf3bf464997771b5b0c47a058fecae7829aeedcd098c80a11008581e5781429

C:\Users\Admin\AppData\Local\Temp\Retrive5733098782243061568.vbs

MD5 3bdfd33017806b85949b6faa7d4b98e4
SHA1 f92844fee69ef98db6e68931adfaa9a0a0f8ce66
SHA256 9da575dd2d5b7c1e9bab8b51a16cde457b3371c6dcdb0537356cf1497fa868f6
SHA512 ae5e5686ae71edef53e71cd842cb6799e4383b9c238a5c361b81647efa128d2fedf3bf464997771b5b0c47a058fecae7829aeedcd098c80a11008581e5781429

memory/888-87-0x0000000000000000-mapping.dmp

memory/1724-88-0x0000000000000000-mapping.dmp

memory/1560-89-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\Retrive3259974879170977603.vbs

MD5 a32c109297ed1ca155598cd295c26611
SHA1 dc4a1fdbaad15ddd6fe22d3907c6b03727b71510
SHA256 45bfe34aa3ef932f75101246eb53d032f5e7cf6d1f5b4e495334955a255f32e7
SHA512 70372552dc86fe02ece9fe3b7721463f80be07a34126b2c75b41e30078cda9e90744c7d644df623f63d4fb985482e345b3351c4d3da873162152c67fc6ecc887

memory/972-91-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\Retrive4679470186179004466.vbs

MD5 a32c109297ed1ca155598cd295c26611
SHA1 dc4a1fdbaad15ddd6fe22d3907c6b03727b71510
SHA256 45bfe34aa3ef932f75101246eb53d032f5e7cf6d1f5b4e495334955a255f32e7
SHA512 70372552dc86fe02ece9fe3b7721463f80be07a34126b2c75b41e30078cda9e90744c7d644df623f63d4fb985482e345b3351c4d3da873162152c67fc6ecc887

memory/976-93-0x0000000000000000-mapping.dmp

memory/1080-94-0x0000000000000000-mapping.dmp

memory/1508-95-0x0000000000000000-mapping.dmp

memory/556-96-0x0000000000000000-mapping.dmp

memory/1732-97-0x0000000000000000-mapping.dmp

\Users\Admin\AppData\Roaming\Oracle\bin\java.dll

MD5 ae42860afe3a2843efa9849263bd0c21
SHA1 1df534b0ee936b8d5446490dc48f326f64547ff6
SHA256 f8d4f05526d9700346cedd556649ad786ac2d1e21c0d669ddddb980e6b44414d
SHA512 c34f92de61236ccd5d8ebd4212ef87ee44ef23897e172023b9e859fe530b0e9d6e864620aa99cc5b1506b2c6327d12ac9ec2f7afafd646115a92b4537ffc4ca9

C:\Users\Admin\bvVnJXUxDkt\suMzvbAwWtM.vrqiBR

MD5 93d2d92db87d216a310f3e57989f5b71
SHA1 c9e87592ad9e35a4042d8f766c537a866a359fd9
SHA256 37d20da1d9f4859c04c4f4fa921ef98cec87c7c50e1666c3fe9be5104716b268
SHA512 7efd15ef40f5cb46cf905ab96a7d19b114e111b2cf77a0729de5693019242e0c013cc4c846051d14286915dcf52edb22e2fa388dc1119ab1284f1dd3df110880

C:\Users\Admin\bvVnJXUxDkt\ID.txt

MD5 bde1dd6924dbee2940e5871a2501f58a
SHA1 d6fd33fbf7d768d1c5443968c80197b15dfb1d4c
SHA256 814a8391bae0976f1be440b31abfd1103cf6e0734126a37b45801bc89021fa10
SHA512 649e776907d98f8fda8edfce98eecbe6f600d75d589b2741363db863847e7ce5ffe59a302737c02515cfcf001020feecc83e7dafcdc1b62bd2d375245ebce002

\Users\Admin\AppData\Roaming\Oracle\bin\java.dll

MD5 ae42860afe3a2843efa9849263bd0c21
SHA1 1df534b0ee936b8d5446490dc48f326f64547ff6
SHA256 f8d4f05526d9700346cedd556649ad786ac2d1e21c0d669ddddb980e6b44414d
SHA512 c34f92de61236ccd5d8ebd4212ef87ee44ef23897e172023b9e859fe530b0e9d6e864620aa99cc5b1506b2c6327d12ac9ec2f7afafd646115a92b4537ffc4ca9

memory/1928-103-0x0000000000000000-mapping.dmp

\Users\Admin\AppData\Roaming\Oracle\bin\java.dll

MD5 ae42860afe3a2843efa9849263bd0c21
SHA1 1df534b0ee936b8d5446490dc48f326f64547ff6
SHA256 f8d4f05526d9700346cedd556649ad786ac2d1e21c0d669ddddb980e6b44414d
SHA512 c34f92de61236ccd5d8ebd4212ef87ee44ef23897e172023b9e859fe530b0e9d6e864620aa99cc5b1506b2c6327d12ac9ec2f7afafd646115a92b4537ffc4ca9

\Users\Admin\AppData\Roaming\Oracle\bin\java.dll

MD5 ae42860afe3a2843efa9849263bd0c21
SHA1 1df534b0ee936b8d5446490dc48f326f64547ff6
SHA256 f8d4f05526d9700346cedd556649ad786ac2d1e21c0d669ddddb980e6b44414d
SHA512 c34f92de61236ccd5d8ebd4212ef87ee44ef23897e172023b9e859fe530b0e9d6e864620aa99cc5b1506b2c6327d12ac9ec2f7afafd646115a92b4537ffc4ca9

C:\Users\Admin\AppData\Roaming\Oracle\bin\java.dll

MD5 ae42860afe3a2843efa9849263bd0c21
SHA1 1df534b0ee936b8d5446490dc48f326f64547ff6
SHA256 f8d4f05526d9700346cedd556649ad786ac2d1e21c0d669ddddb980e6b44414d
SHA512 c34f92de61236ccd5d8ebd4212ef87ee44ef23897e172023b9e859fe530b0e9d6e864620aa99cc5b1506b2c6327d12ac9ec2f7afafd646115a92b4537ffc4ca9

\Users\Admin\AppData\Roaming\Oracle\bin\javaw.exe

MD5 846245142683adc04baf77c6e29063db
SHA1 6a1b06baf85419b7345520d78ee416ce06747473
SHA256 c860377e71c0bae6821f9083123f55974a549e2c57ff50cec572d18ed06f2d6c
SHA512 e0a7c9d9da3d062245718bb54553170857f647798308e4e28e5b5fbf3ac2a0496cf55bfc7a7663810113cf71807923bb365b27652a12c106e1908a89ec12cbaa

memory/1904-98-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\Oracle\bin\javaw.exe

MD5 846245142683adc04baf77c6e29063db
SHA1 6a1b06baf85419b7345520d78ee416ce06747473
SHA256 c860377e71c0bae6821f9083123f55974a549e2c57ff50cec572d18ed06f2d6c
SHA512 e0a7c9d9da3d062245718bb54553170857f647798308e4e28e5b5fbf3ac2a0496cf55bfc7a7663810113cf71807923bb365b27652a12c106e1908a89ec12cbaa

\Users\Admin\AppData\Roaming\Oracle\bin\server\jvm.dll

MD5 8ebc899a0ee346da1484d99d991aee48
SHA1 d6e6b5508b74ea4154099f8814b30105a44bee85
SHA256 ccd87243f35ae5f0235d4c9e35c76997b2269493751dc82791826250699506f7
SHA512 77d7f67d52be75539959afa466bfb09479d8c699e9e262289eda7736fbfc8e22835e7095e06d8081f364c7618888b3fa27c9a697a43b111ec032aeaaee387d16

C:\Users\Admin\AppData\Roaming\Oracle\bin\server\jvm.dll

MD5 8ebc899a0ee346da1484d99d991aee48
SHA1 d6e6b5508b74ea4154099f8814b30105a44bee85
SHA256 ccd87243f35ae5f0235d4c9e35c76997b2269493751dc82791826250699506f7
SHA512 77d7f67d52be75539959afa466bfb09479d8c699e9e262289eda7736fbfc8e22835e7095e06d8081f364c7618888b3fa27c9a697a43b111ec032aeaaee387d16

\Users\Admin\AppData\Roaming\Oracle\bin\msvcr100.dll

MD5 df3ca8d16bded6a54977b30e66864d33
SHA1 b7b9349b33230c5b80886f5c1f0a42848661c883
SHA256 1d1a1ae540ba132f998d60d3622f0297b6e86ae399332c3b47462d7c0f560a36
SHA512 951b2f67c2f2ef1cfcd4b43bd3ee0e486cdba7d04b4ea7259df0e4b3112e360aefb8dcd058becccacd99aca7f56d4f9bd211075bd16b28c2661d562e50b423f0

C:\Users\Admin\AppData\Roaming\Oracle\bin\msvcr100.dll

MD5 df3ca8d16bded6a54977b30e66864d33
SHA1 b7b9349b33230c5b80886f5c1f0a42848661c883
SHA256 1d1a1ae540ba132f998d60d3622f0297b6e86ae399332c3b47462d7c0f560a36
SHA512 951b2f67c2f2ef1cfcd4b43bd3ee0e486cdba7d04b4ea7259df0e4b3112e360aefb8dcd058becccacd99aca7f56d4f9bd211075bd16b28c2661d562e50b423f0

C:\Users\Admin\AppData\Roaming\Oracle\lib\amd64\jvm.cfg

MD5 ab035b969e9bcf200cbdfd1158d475a7
SHA1 e36c2a8e62edf04b3b8f282c28e9408ee6d1da10
SHA256 940c29cd2a34a9d84275e3b526d595eec6e08ba5f7f0806fc545ce0d26fe9024
SHA512 2f96657645a4e25e80ac684c00bd931857ab91e72c9411024f5de06ab629de0a7c79ae13efef9ccba6bd19442d823ea840d066ba133bfd89144dd6c0eb0b32bf

C:\Users\Admin\AppData\Roaming\Oracle\bin\verify.dll

MD5 ffa8f0ee3aace64fac7f55cb718472a9
SHA1 d199b599dd062737c64e49213088b4e568418a1c
SHA256 4484408f77c26aec4229a8c3b0b7a3199590f338ffc23b480df0515f4b76cbff
SHA512 2298afdad7e5b8f98ff3e28c14a51ab533b03ec89d02a061473f2d67e1c49797bd74308d7a6a0dab23fab7bf8908f89921e52a010832ab601d646b09d5c4884f

\Users\Admin\AppData\Roaming\Oracle\bin\verify.dll

MD5 ffa8f0ee3aace64fac7f55cb718472a9
SHA1 d199b599dd062737c64e49213088b4e568418a1c
SHA256 4484408f77c26aec4229a8c3b0b7a3199590f338ffc23b480df0515f4b76cbff
SHA512 2298afdad7e5b8f98ff3e28c14a51ab533b03ec89d02a061473f2d67e1c49797bd74308d7a6a0dab23fab7bf8908f89921e52a010832ab601d646b09d5c4884f

\Users\Admin\AppData\Roaming\Oracle\bin\zip.dll

MD5 4b4153f3ae3454a5d9dae1b41846e908
SHA1 6082bb1a46ea5b1a6cd3e2bcae196c532f56050d
SHA256 09ecb4d529a7aef436e0b629aaa8d4717886bedc65223e6b693358369efe6160
SHA512 07398432f2efc2a29f569cf3f421f36b2bf2ca60c71c6a1d193b2b1c0b2ce4b4433029f9c37c79d0bd912c1dda3e1a90a1da9836531145cd6b003b45d9f1946d

C:\Users\Admin\AppData\Roaming\Oracle\lib\meta-index

MD5 8bff510abed2b6fcc5a83eedb65b1766
SHA1 ba6d0cd7504a5baeb963501b8bdf315ec6cb355c
SHA256 afb4850419612e0daf1876a5d61120ed0ccae241f188c25c014602007b3a765b
SHA512 8786bd672ce9c53f4c31f8206d621eb06ae7527f9adf3700955cc1cb928dde145b684666a5eb4ac11301541f585970ccd377ba144da351741e3cb5769b6ff522

C:\Users\Admin\AppData\Roaming\Oracle\bin\zip.dll

MD5 4b4153f3ae3454a5d9dae1b41846e908
SHA1 6082bb1a46ea5b1a6cd3e2bcae196c532f56050d
SHA256 09ecb4d529a7aef436e0b629aaa8d4717886bedc65223e6b693358369efe6160
SHA512 07398432f2efc2a29f569cf3f421f36b2bf2ca60c71c6a1d193b2b1c0b2ce4b4433029f9c37c79d0bd912c1dda3e1a90a1da9836531145cd6b003b45d9f1946d

\Users\Admin\AppData\Roaming\Oracle\bin\java.dll

MD5 ae42860afe3a2843efa9849263bd0c21
SHA1 1df534b0ee936b8d5446490dc48f326f64547ff6
SHA256 f8d4f05526d9700346cedd556649ad786ac2d1e21c0d669ddddb980e6b44414d
SHA512 c34f92de61236ccd5d8ebd4212ef87ee44ef23897e172023b9e859fe530b0e9d6e864620aa99cc5b1506b2c6327d12ac9ec2f7afafd646115a92b4537ffc4ca9

C:\Users\Admin\AppData\Roaming\Oracle\lib\rt.jar

MD5 b3f3eea1bb42a24646638668b4022d5f
SHA1 c63ff198af318be31426e4441f2507b299c742d7
SHA256 5a42fe1fdf54299f751ee73a2756114a7d66de1062a458699ad200d8bcaacd86
SHA512 3033ee55558437d1096d742092e852c8eebd5a4b99e1bc6a639a8b94de8af4200e9c7a495527ecce553c5fc40fb6bba9fe47326c91c8f908564b5837f1b1b620

C:\Users\Admin\AppData\Roaming\Oracle\lib\ext\meta-index

MD5 426812cbfc93fb23bbc504c2bf92575b
SHA1 e077f3d8e6a0b769c0c504348b257edc609563c8
SHA256 ef4f43d97420e544fd64d504029233191e92a46bc7811478f4b6dc7c02651072
SHA512 84f3ddc620dc2b98425ca6742e295151d4f27e417412e1ea6bcec8d2eb9d71c98cb60b9f687ab7443f702f23fa98011793f73e715e0a9e82ef4f40038b69eab0

memory/1928-132-0x0000000002300000-0x0000000005300000-memory.dmp

C:\Users\Admin\AppData\Roaming\Oracle\lib\jsse.jar

MD5 8447fe024c6ed74ebcf06462689bcb63
SHA1 78ea3dcc279af9216bed911e7c1018e604151929
SHA256 c98f8ca3a99b4d29dd06e80aa9395fa6c267554a335c3f5db40d90b818d44c8c
SHA512 e56325ec4cb124744b2b711b0ac607150237f11884e25cb4bbe224ab32754e246765670f11df08a3c2a6a950f536780414827d0a7fdd0ce689e5ae8235accbf8

C:\Users\Admin\AppData\Roaming\Oracle\bin\net.dll

MD5 b3e0f70c518921dad42bab3c0304144d
SHA1 c2b74c7c036e221317a992f147aec77ba7eb9fc1
SHA256 d596cc70a16fd058262b46c092723ac8b19d803f9b57336d1d7e2af10fbbe7d7
SHA512 07d74b127608763a06847bc47185e844f139d440357770c181cf3c7dc440e8e993cdc6b68999e863b6be9e16c56a11a50f1709e478386e7aa3dea6b9b0dec034

C:\Users\Admin\AppData\Roaming\Oracle\lib\security\java.security

MD5 779d1c858e736a5a9e9f5a5eddf49fe2
SHA1 7af7dda65d74c7cd17ad10b0aa9e854a96a26e6f
SHA256 379f1c061e63b8a272b034503d4af821ee0f40052d0cff060ac61bc190071b66
SHA512 339844ee820b81212a59cf25cc99a5ccdd656634038d72cdefce305b3fcce0ecba5d50c1610adcb2089a1d1635bcc2c84dd2e5b64bdd84f1c0ee2d139c86b46c

\Users\Admin\AppData\Roaming\Oracle\bin\net.dll

MD5 b3e0f70c518921dad42bab3c0304144d
SHA1 c2b74c7c036e221317a992f147aec77ba7eb9fc1
SHA256 d596cc70a16fd058262b46c092723ac8b19d803f9b57336d1d7e2af10fbbe7d7
SHA512 07d74b127608763a06847bc47185e844f139d440357770c181cf3c7dc440e8e993cdc6b68999e863b6be9e16c56a11a50f1709e478386e7aa3dea6b9b0dec034

C:\Users\Admin\AppData\Roaming\Oracle\bin\nio.dll

MD5 2977c42aae44773f721c5a6dbaaa6feb
SHA1 69635e0b0d70823dbb45bed6d8ad0dfddf0540e6
SHA256 910de556a8660a5dfb715bacd3a3957c4b027270f4e9d013ff6dced3bd0107c5
SHA512 a53f01aeeb528810e17fde436a995c3b5842c1068dcd64aa65274138334b9f775e4552dc4997b7726669f3e7180e67bac8768793c4795f0321976b17dc0fbac4

\Users\Admin\AppData\Roaming\Oracle\bin\nio.dll

MD5 2977c42aae44773f721c5a6dbaaa6feb
SHA1 69635e0b0d70823dbb45bed6d8ad0dfddf0540e6
SHA256 910de556a8660a5dfb715bacd3a3957c4b027270f4e9d013ff6dced3bd0107c5
SHA512 a53f01aeeb528810e17fde436a995c3b5842c1068dcd64aa65274138334b9f775e4552dc4997b7726669f3e7180e67bac8768793c4795f0321976b17dc0fbac4

\Users\Admin\AppData\Roaming\Oracle\bin\java.exe

MD5 018c6d5d781ecb2c0eca8d08acd03a76
SHA1 7739a2fb33303ff00b27c4ed00e1321badbfee58
SHA256 40c94ba508ec8724a4e7aef704afeb6ac42e5bcbd8078868320883698529ee33
SHA512 b332d890f3aa28cd98e6431e8ad37aa47ff7bf44dfe6dbe56defc685f00bd7b54b234025fc0eeb64ea7314a7fc0371ce38e11295d09ec6eba66058c9f693e98b

\Users\Admin\AppData\Roaming\Oracle\bin\java.dll

MD5 ae42860afe3a2843efa9849263bd0c21
SHA1 1df534b0ee936b8d5446490dc48f326f64547ff6
SHA256 f8d4f05526d9700346cedd556649ad786ac2d1e21c0d669ddddb980e6b44414d
SHA512 c34f92de61236ccd5d8ebd4212ef87ee44ef23897e172023b9e859fe530b0e9d6e864620aa99cc5b1506b2c6327d12ac9ec2f7afafd646115a92b4537ffc4ca9

memory/772-140-0x0000000000000000-mapping.dmp

\Users\Admin\AppData\Roaming\Oracle\bin\java.dll

MD5 ae42860afe3a2843efa9849263bd0c21
SHA1 1df534b0ee936b8d5446490dc48f326f64547ff6
SHA256 f8d4f05526d9700346cedd556649ad786ac2d1e21c0d669ddddb980e6b44414d
SHA512 c34f92de61236ccd5d8ebd4212ef87ee44ef23897e172023b9e859fe530b0e9d6e864620aa99cc5b1506b2c6327d12ac9ec2f7afafd646115a92b4537ffc4ca9

C:\Users\Admin\AppData\Roaming\Oracle\bin\java.exe

MD5 018c6d5d781ecb2c0eca8d08acd03a76
SHA1 7739a2fb33303ff00b27c4ed00e1321badbfee58
SHA256 40c94ba508ec8724a4e7aef704afeb6ac42e5bcbd8078868320883698529ee33
SHA512 b332d890f3aa28cd98e6431e8ad37aa47ff7bf44dfe6dbe56defc685f00bd7b54b234025fc0eeb64ea7314a7fc0371ce38e11295d09ec6eba66058c9f693e98b

C:\Users\Admin\AppData\Roaming\Oracle\lib\jce.jar

MD5 29753d8abdc7ba7561d2c5fd96cee210
SHA1 acfe2f4fbb9101bae52c2161703c1914ce65a062
SHA256 105840a8b3ab7ff368d58aba76b83eb0ea5445a4fe6f84a4ace9a3c8f05cb9e9
SHA512 741175c4a07ae66646c8069df99247896ca5f2d647a7b08f9d3e93576e0e5dd3c9a0a67871d2b6ad768c762cd0bc45343e32017af7dbe7d6cbd953059d5684c9

C:\Users\Admin\AppData\Roaming\Oracle\lib\ext\sunec.jar

MD5 a00a0eb4a6c8f58ba0674bf56da6b601
SHA1 40a67c09f821af3f62d428e4d79980f9df10e407
SHA256 de574520c29756024f93d2136b8180d9d998a66ed6743bb484fc7ee4601705ac
SHA512 ec76a4d64dd71095e92c96a63d52a4bd8c935304dc3bdc3922773e561dd6558012c373c44ffee6e9858a28cc35c587c89bec3bc86ef3d579e4d149e2acc8c417

\Users\Admin\AppData\Roaming\Oracle\bin\msvcr100.dll

MD5 df3ca8d16bded6a54977b30e66864d33
SHA1 b7b9349b33230c5b80886f5c1f0a42848661c883
SHA256 1d1a1ae540ba132f998d60d3622f0297b6e86ae399332c3b47462d7c0f560a36
SHA512 951b2f67c2f2ef1cfcd4b43bd3ee0e486cdba7d04b4ea7259df0e4b3112e360aefb8dcd058becccacd99aca7f56d4f9bd211075bd16b28c2661d562e50b423f0

\Users\Admin\AppData\Roaming\Oracle\bin\server\jvm.dll

MD5 8ebc899a0ee346da1484d99d991aee48
SHA1 d6e6b5508b74ea4154099f8814b30105a44bee85
SHA256 ccd87243f35ae5f0235d4c9e35c76997b2269493751dc82791826250699506f7
SHA512 77d7f67d52be75539959afa466bfb09479d8c699e9e262289eda7736fbfc8e22835e7095e06d8081f364c7618888b3fa27c9a697a43b111ec032aeaaee387d16

C:\Users\Admin\AppData\Local\Temp\_0.08401529177074585868909012934459593.class

MD5 781fb531354d6f291f1ccab48da6d39f
SHA1 9ce4518ebcb5be6d1f0b5477fa00c26860fe9a68
SHA256 97d585b6aff62fb4e43e7e6a5f816dcd7a14be11a88b109a9ba9e8cd4c456eb9
SHA512 3e6630f5feb4a3eb1dac7e9125ce14b1a2a45d7415cf44cea42bc51b2a9aa37169ee4a4c36c888c8f2696e7d6e298e2ad7b2f4c22868aaa5948210eb7db220d8

C:\Users\Admin\AppData\Roaming\Oracle\lib\security\US_export_policy.jar

MD5 d5d126ae15abecb7d6e3a28b0d57543e
SHA1 0f5f7000873330225c67c37b7e5e3f310ddf5730
SHA256 0e38f50cd7ebdfe7dafeebfa7156b89f848d5c7fae853db755b190e98ac4e7f2
SHA512 196b852e76b32c07efdbf88e16995881d940e0144b2d0e0cab8c4f51362898db75489d6f1a98a51b49fb50b50ca25a083529315929668d75d54b3af18e0cfefe

\Users\Admin\AppData\Roaming\Oracle\bin\zip.dll

MD5 4b4153f3ae3454a5d9dae1b41846e908
SHA1 6082bb1a46ea5b1a6cd3e2bcae196c532f56050d
SHA256 09ecb4d529a7aef436e0b629aaa8d4717886bedc65223e6b693358369efe6160
SHA512 07398432f2efc2a29f569cf3f421f36b2bf2ca60c71c6a1d193b2b1c0b2ce4b4433029f9c37c79d0bd912c1dda3e1a90a1da9836531145cd6b003b45d9f1946d

C:\Users\Admin\AppData\Roaming\Oracle\lib\ext\sunjce_provider.jar

MD5 6206de1bba4fd8f0046d59177f6b3dcb
SHA1 443658612b0ed8e1c2fe0353ee4e9a0f5ade636c
SHA256 6f09f93e0b9c24704af89bbb527b6834f7857a953fa65b32b0d5434a2df18028
SHA512 ffc66be163eaa965d357e0574db5d7dcc8927f062dff395b96968e6f313034e5c9eaa24fc626a68bbcf6cec2b2d7430786561e16f96a87363f0dca4e0f6c230a

\Users\Admin\AppData\Roaming\Oracle\bin\sunec.dll

MD5 94d11fc73e3de366cc0c7a752feaf975
SHA1 c449985a32ab342c46d1962af251db47587bce30
SHA256 ee1a861382193204af35455cacc1bddecc5b559ebf5bc7b851d3a01d377e8571
SHA512 338629676469edaaa9600bfd901e9a1af99891b1c70bb4dd8593136be3a50be1dab1d0005eb5f6050d792c886818dd8ff0869fcad90c44bf20e5c32f9c0b0322

C:\Users\Admin\AppData\Roaming\Oracle\bin\sunec.dll

MD5 94d11fc73e3de366cc0c7a752feaf975
SHA1 c449985a32ab342c46d1962af251db47587bce30
SHA256 ee1a861382193204af35455cacc1bddecc5b559ebf5bc7b851d3a01d377e8571
SHA512 338629676469edaaa9600bfd901e9a1af99891b1c70bb4dd8593136be3a50be1dab1d0005eb5f6050d792c886818dd8ff0869fcad90c44bf20e5c32f9c0b0322

\Users\Admin\AppData\Roaming\Oracle\bin\java.dll

MD5 ae42860afe3a2843efa9849263bd0c21
SHA1 1df534b0ee936b8d5446490dc48f326f64547ff6
SHA256 f8d4f05526d9700346cedd556649ad786ac2d1e21c0d669ddddb980e6b44414d
SHA512 c34f92de61236ccd5d8ebd4212ef87ee44ef23897e172023b9e859fe530b0e9d6e864620aa99cc5b1506b2c6327d12ac9ec2f7afafd646115a92b4537ffc4ca9

C:\Users\Admin\AppData\Roaming\Oracle\lib\security\local_policy.jar

MD5 f41ab8f64b1fa13fec7276579c420951
SHA1 256fae2beeccabdd441bb072b1f2fa3349625807
SHA256 3e9cdd87f4a7c8f27b2bf4d03a7e51b6ce6a563a7f619db8e3197799f1838afd
SHA512 9faa38adaa441d6596e25dda3a67789cd1978ee2fb5e65b99a7eb2c0eacd862d6260bb9eacd17c056aa5fbc180004c724b0229d3073f18c2c626efcda14364d2

\Users\Admin\AppData\Roaming\Oracle\bin\verify.dll

MD5 ffa8f0ee3aace64fac7f55cb718472a9
SHA1 d199b599dd062737c64e49213088b4e568418a1c
SHA256 4484408f77c26aec4229a8c3b0b7a3199590f338ffc23b480df0515f4b76cbff
SHA512 2298afdad7e5b8f98ff3e28c14a51ab533b03ec89d02a061473f2d67e1c49797bd74308d7a6a0dab23fab7bf8908f89921e52a010832ab601d646b09d5c4884f

\Users\Admin\AppData\Roaming\Oracle\bin\sunec.dll

MD5 94d11fc73e3de366cc0c7a752feaf975
SHA1 c449985a32ab342c46d1962af251db47587bce30
SHA256 ee1a861382193204af35455cacc1bddecc5b559ebf5bc7b851d3a01d377e8571
SHA512 338629676469edaaa9600bfd901e9a1af99891b1c70bb4dd8593136be3a50be1dab1d0005eb5f6050d792c886818dd8ff0869fcad90c44bf20e5c32f9c0b0322

C:\Users\Admin\AppData\Roaming\Oracle\lib\resources.jar

MD5 f43e2bea45648670903f3f9c462e89ba
SHA1 0c64730537815a28ef1be22bdb709065ed505479
SHA256 bd7734192a891eba585e94996c4a8812f7cf96753671aa9a74268c39faf50987
SHA512 af5edd06039ae86806c8846468f82d5fa43affd00b4a9757bed8ecea466272aefbac70656eaf211188db07209472bb3bc2ed9445dcb74e98328ac0ec4bb61c18

memory/2016-169-0x0000000002280000-0x0000000005280000-memory.dmp

\Users\Admin\AppData\Roaming\Oracle\bin\net.dll

MD5 b3e0f70c518921dad42bab3c0304144d
SHA1 c2b74c7c036e221317a992f147aec77ba7eb9fc1
SHA256 d596cc70a16fd058262b46c092723ac8b19d803f9b57336d1d7e2af10fbbe7d7
SHA512 07d74b127608763a06847bc47185e844f139d440357770c181cf3c7dc440e8e993cdc6b68999e863b6be9e16c56a11a50f1709e478386e7aa3dea6b9b0dec034

C:\Users\Admin\AppData\Roaming\Oracle\bin\awt.dll

MD5 049b2f21eeabedbc85a5435849c26c52
SHA1 3399776cdcca0e846ddef891e840dc5b22af55c1
SHA256 4136f7e7282d17fe4bd24d2bd86432664153f34f712fb1c82e40b95567bce3f8
SHA512 af9d224f6739be29d6ae0d7d8fe87054c20933dec34352604df7ea82733152acb02c63983ec910b7a3e433c32226dc971d9575386945e2590c67b496c6dbf4e3

C:\Users\Admin\AppData\Roaming\Oracle\lib\accessibility.properties

MD5 9e5e954bc0e625a69a0a430e80dcf724
SHA1 c29c1f37a2148b50a343db1a4aa9eb0512f80749
SHA256 a46372b05ce9f40f5d5a775c90d7aa60687cd91aaa7374c499f0221229bf344e
SHA512 18a8277a872fb9e070a1980eee3ddd096ed0bba755db9b57409983c1d5a860e9cbd3b67e66ff47852fe12324b84d4984e2f13859f65fabe2ff175725898f1b67

\Users\Admin\AppData\Roaming\Oracle\bin\awt.dll

MD5 049b2f21eeabedbc85a5435849c26c52
SHA1 3399776cdcca0e846ddef891e840dc5b22af55c1
SHA256 4136f7e7282d17fe4bd24d2bd86432664153f34f712fb1c82e40b95567bce3f8
SHA512 af9d224f6739be29d6ae0d7d8fe87054c20933dec34352604df7ea82733152acb02c63983ec910b7a3e433c32226dc971d9575386945e2590c67b496c6dbf4e3

memory/772-176-0x00000000021F0000-0x00000000051F0000-memory.dmp

\Users\Admin\AppData\Roaming\Oracle\bin\nio.dll

MD5 2977c42aae44773f721c5a6dbaaa6feb
SHA1 69635e0b0d70823dbb45bed6d8ad0dfddf0540e6
SHA256 910de556a8660a5dfb715bacd3a3957c4b027270f4e9d013ff6dced3bd0107c5
SHA512 a53f01aeeb528810e17fde436a995c3b5842c1068dcd64aa65274138334b9f775e4552dc4997b7726669f3e7180e67bac8768793c4795f0321976b17dc0fbac4

memory/1984-178-0x0000000000000000-mapping.dmp

\Users\Admin\AppData\Roaming\Oracle\bin\awt.dll

MD5 049b2f21eeabedbc85a5435849c26c52
SHA1 3399776cdcca0e846ddef891e840dc5b22af55c1
SHA256 4136f7e7282d17fe4bd24d2bd86432664153f34f712fb1c82e40b95567bce3f8
SHA512 af9d224f6739be29d6ae0d7d8fe87054c20933dec34352604df7ea82733152acb02c63983ec910b7a3e433c32226dc971d9575386945e2590c67b496c6dbf4e3

memory/1720-179-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\Retrive5381962756983221983.vbs

MD5 3bdfd33017806b85949b6faa7d4b98e4
SHA1 f92844fee69ef98db6e68931adfaa9a0a0f8ce66
SHA256 9da575dd2d5b7c1e9bab8b51a16cde457b3371c6dcdb0537356cf1497fa868f6
SHA512 ae5e5686ae71edef53e71cd842cb6799e4383b9c238a5c361b81647efa128d2fedf3bf464997771b5b0c47a058fecae7829aeedcd098c80a11008581e5781429

memory/984-184-0x0000000000000000-mapping.dmp

memory/732-185-0x0000000000000000-mapping.dmp

memory/1164-186-0x0000000000000000-mapping.dmp

memory/1108-183-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\Retrive1389535222514546923.vbs

MD5 3bdfd33017806b85949b6faa7d4b98e4
SHA1 f92844fee69ef98db6e68931adfaa9a0a0f8ce66
SHA256 9da575dd2d5b7c1e9bab8b51a16cde457b3371c6dcdb0537356cf1497fa868f6
SHA512 ae5e5686ae71edef53e71cd842cb6799e4383b9c238a5c361b81647efa128d2fedf3bf464997771b5b0c47a058fecae7829aeedcd098c80a11008581e5781429

C:\Users\Admin\AppData\Local\Temp\Retrive918936036628501706.vbs

MD5 a32c109297ed1ca155598cd295c26611
SHA1 dc4a1fdbaad15ddd6fe22d3907c6b03727b71510
SHA256 45bfe34aa3ef932f75101246eb53d032f5e7cf6d1f5b4e495334955a255f32e7
SHA512 70372552dc86fe02ece9fe3b7721463f80be07a34126b2c75b41e30078cda9e90744c7d644df623f63d4fb985482e345b3351c4d3da873162152c67fc6ecc887

memory/996-190-0x0000000000000000-mapping.dmp

memory/1448-191-0x0000000000000000-mapping.dmp

C:\Windows\System32\test.txt

MD5 a0dc680dcda31535e25329e906d09fb3
SHA1 81f52073bff734b6f8ba3da73b3a3fab06ca3082
SHA256 fccddd77716c97258426d16dfce6bb5f0084ac91570f79084c0058a2c66b62d2
SHA512 619115dfd91dafc13e72c3f3388f5f3d5f1087aed02df3ac9cb10105c20d9f814d8da1977791dbdb0f93113845bf23acb821d50fc9d6e74689adf3639a8ddef6

memory/1504-192-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\Oracle\bin\management.dll

MD5 b1f2410bf495a1772b1b4e256eb1fb11
SHA1 56538bc388df2546efd1959b570f0aafef042861
SHA256 f0e73daee37b0f5715a36559aaa783f1ac599bb27f8e403ed7f6d8c1af020f79
SHA512 114be4fef647f5c7557a1abaa9a7d33cdd0cdea779ec7e569b105771766ecd8c17cdce8c7232ef1dec85f617c791d8ec6f0b53a5d161a1f2d360e03aee8f07a4

memory/1664-194-0x0000000000000000-mapping.dmp

memory/1676-196-0x0000000000000000-mapping.dmp

memory/1132-195-0x0000000000000000-mapping.dmp

memory/1904-197-0x0000000000000000-mapping.dmp

memory/1496-199-0x0000000000000000-mapping.dmp

memory/1116-200-0x0000000000000000-mapping.dmp

memory/1100-201-0x0000000000000000-mapping.dmp

memory/1928-202-0x0000000002300000-0x0000000005300000-memory.dmp

memory/1608-203-0x0000000000000000-mapping.dmp

memory/892-204-0x0000000000000000-mapping.dmp

memory/1296-205-0x0000000000000000-mapping.dmp

memory/468-206-0x0000000000000000-mapping.dmp

memory/772-207-0x00000000021F0000-0x00000000051F0000-memory.dmp

memory/864-208-0x0000000000000000-mapping.dmp

memory/1564-210-0x0000000000000000-mapping.dmp

memory/280-211-0x0000000000000000-mapping.dmp

memory/1312-212-0x0000000000000000-mapping.dmp

memory/1220-213-0x0000000000000000-mapping.dmp

memory/1504-215-0x0000000000000000-mapping.dmp

memory/1528-216-0x0000000000000000-mapping.dmp

memory/1580-218-0x0000000000000000-mapping.dmp

memory/1600-219-0x0000000000000000-mapping.dmp

memory/1664-220-0x0000000000000000-mapping.dmp

memory/1204-222-0x0000000000000000-mapping.dmp

memory/468-223-0x0000000000000000-mapping.dmp

memory/1720-224-0x0000000000000000-mapping.dmp

memory/1764-226-0x0000000000000000-mapping.dmp

memory/1032-227-0x0000000000000000-mapping.dmp

memory/800-228-0x0000000000000000-mapping.dmp

memory/1448-230-0x0000000000000000-mapping.dmp

memory/1452-231-0x0000000000000000-mapping.dmp

memory/1456-232-0x0000000000000000-mapping.dmp

memory/592-234-0x0000000000000000-mapping.dmp

memory/1904-235-0x0000000000000000-mapping.dmp

memory/1900-236-0x0000000000000000-mapping.dmp

memory/1496-238-0x0000000000000000-mapping.dmp

memory/984-239-0x0000000000000000-mapping.dmp

memory/996-240-0x0000000000000000-mapping.dmp

memory/1604-242-0x0000000000000000-mapping.dmp

memory/1764-243-0x0000000000000000-mapping.dmp

Analysis: behavioral6

Detonation Overview

Submitted

2022-07-12 12:35

Reported

2022-07-12 18:26

Platform

win10v2004-20220414-en

Max time kernel

35s

Max time network

39s

Command Line

java -jar "C:\Users\Admin\AppData\Local\Temp\invoice for the payment.jar"

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 432 wrote to memory of 3340 N/A C:\ProgramData\Oracle\Java\javapath\java.exe C:\Program Files\Java\jre1.8.0_66\bin\java.exe
PID 432 wrote to memory of 3340 N/A C:\ProgramData\Oracle\Java\javapath\java.exe C:\Program Files\Java\jre1.8.0_66\bin\java.exe

Processes

C:\ProgramData\Oracle\Java\javapath\java.exe

java -jar "C:\Users\Admin\AppData\Local\Temp\invoice for the payment.jar"

C:\Program Files\Java\jre1.8.0_66\bin\java.exe

"C:\Program Files\Java\jre1.8.0_66\bin\java.exe" -jar C:\Users\Admin\AppData\Local\Temp\_0.6268536215132375629531930852222768.class

Network

Country Destination Domain Proto
US 93.184.220.29:80 tcp
NL 8.238.21.126:80 tcp

Files

memory/432-132-0x0000000002D70000-0x0000000003D70000-memory.dmp

memory/3340-140-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\_0.6268536215132375629531930852222768.class

MD5 781fb531354d6f291f1ccab48da6d39f
SHA1 9ce4518ebcb5be6d1f0b5477fa00c26860fe9a68
SHA256 97d585b6aff62fb4e43e7e6a5f816dcd7a14be11a88b109a9ba9e8cd4c456eb9
SHA512 3e6630f5feb4a3eb1dac7e9125ce14b1a2a45d7415cf44cea42bc51b2a9aa37169ee4a4c36c888c8f2696e7d6e298e2ad7b2f4c22868aaa5948210eb7db220d8

C:\Users\Admin\.oracle_jre_usage\90737d32e3aba4b.timestamp

MD5 37c8285dcc21b9b0a386787c882da5e7
SHA1 b844768ee0d8b8ac55c511a8eca4963362fc2c48
SHA256 f5f5f1c72be7b9047e4d1030714e6c3b90ee17872ab4af2f1bd76b4085e4b429
SHA512 bbde1dc0eab3fcf9d16c70597f3fe0d1ccb054a5d297e6bf66b4eaa2913e531a8b9a90ddbf8b7ea2400bf3e8eb878f99a1ac47fc095b11695357d7e22436449a

memory/432-151-0x0000000002D70000-0x0000000003D70000-memory.dmp

memory/3340-153-0x0000000003040000-0x0000000004040000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-1081944012-3634099177-1681222835-1000\83aa4cc77f591dfc2374580bbd95f6ba_20e30e2f-4677-4eb9-89e6-7dd1fd044635

MD5 c8366ae350e7019aefc9d1e6e6a498c6
SHA1 5731d8a3e6568a5f2dfbbc87e3db9637df280b61
SHA256 11e6aca8e682c046c83b721eeb5c72c5ef03cb5936c60df6f4993511ddc61238
SHA512 33c980d5a638bfc791de291ebf4b6d263b384247ab27f261a54025108f2f85374b579a026e545f81395736dd40fa4696f2163ca17640dd47f1c42bc9971b18cd

memory/432-163-0x0000000002D70000-0x0000000003D70000-memory.dmp

memory/432-164-0x0000000002D70000-0x0000000003D70000-memory.dmp

memory/432-165-0x0000000002D70000-0x0000000003D70000-memory.dmp

memory/432-166-0x0000000002D70000-0x0000000003D70000-memory.dmp

memory/432-167-0x0000000002D70000-0x0000000003D70000-memory.dmp